draft-ietf-ecrit-unauthenticated-access-10.txt   rfc7406.txt 
ECRIT H. Schulzrinne Internet Engineering Task Force (IETF) H. Schulzrinne
Internet-Draft Columbia University Request for Comments: 7406 Columbia University
Intended status: Standards Track S. McCann Category: Informational S. McCann
Expires: February 13, 2015 Research in Motion UK Ltd ISSN: 2070-1721 BlackBerry Ltd
G. Bajko G. Bajko
MediaTek
H. Tschofenig H. Tschofenig
D. Kroeselberg D. Kroeselberg
Siemens Siemens Corporate Technology
August 12, 2014 December 2014
Extensions to the Emergency Services Architecture for dealing with Extensions to the Emergency Services Architecture for Dealing With
Unauthenticated and Unauthorized Devices Unauthenticated and Unauthorized Devices
draft-ietf-ecrit-unauthenticated-access-10.txt
Abstract Abstract
This document provides a problem statement, introduces terminology This document provides a problem statement, introduces terminology,
and describes an extension for the base IETF emergency services and describes an extension for the base IETF emergency services
architecture to address cases where an emergency caller is not architecture to address cases where an emergency caller is not
authenticated, has no identifiable service provider, or has no authenticated, has no identifiable service provider, or has no
remaining credit with which to pay for access to the network. remaining credit with which to pay for access to the network.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This document is not an Internet Standards Track specification; it is
provisions of BCP 78 and BCP 79. published for informational purposes.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
This Internet-Draft will expire on February 13, 2015. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7406.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Use Case Categories . . . . . . . . . . . . . . . . . . . . . 5 3. Use-Case Categories . . . . . . . . . . . . . . . . . . . . . 5
4. ZBP Considerations . . . . . . . . . . . . . . . . . . . . . 11 4. ZBP Considerations . . . . . . . . . . . . . . . . . . . . . 12
5. NASP Considerations . . . . . . . . . . . . . . . . . . . . . 11 5. NASP Considerations . . . . . . . . . . . . . . . . . . . . . 12
5.1. End Host Profile . . . . . . . . . . . . . . . . . . . . 14 5.1. End-Host Profile . . . . . . . . . . . . . . . . . . . . 15
5.1.1. LoST Server Discovery . . . . . . . . . . . . . . . . 14 5.1.1. LoST Server Discovery . . . . . . . . . . . . . . . . 15
5.1.2. ESRP Discovery . . . . . . . . . . . . . . . . . . . 14 5.1.2. ESRP Discovery . . . . . . . . . . . . . . . . . . . 15
5.1.3. Location Determination and Location Configuration . . 14 5.1.3. Location Determination and Location Configuration . . 15
5.1.4. Emergency Call Identification . . . . . . . . . . . . 14 5.1.4. Emergency Call Identification . . . . . . . . . . . . 15
5.1.5. SIP Emergency Call Signaling . . . . . . . . . . . . 14 5.1.5. SIP Emergency Call Signaling . . . . . . . . . . . . 15
5.1.6. Media . . . . . . . . . . . . . . . . . . . . . . . . 15 5.1.6. Media . . . . . . . . . . . . . . . . . . . . . . . . 16
5.1.7. Testing . . . . . . . . . . . . . . . . . . . . . . . 15 5.1.7. Testing . . . . . . . . . . . . . . . . . . . . . . . 16
5.2. IAP/ISP Profile . . . . . . . . . . . . . . . . . . . . . 15 5.2. IAP/ISP Profile . . . . . . . . . . . . . . . . . . . . . 16
5.2.1. ESRP Discovery . . . . . . . . . . . . . . . . . . . 15 5.2.1. ESRP Discovery . . . . . . . . . . . . . . . . . . . 16
5.2.2. Location Determination and Location Configuration . . 15 5.2.2. Location Determination and Location Configuration . . 16
5.3. ESRP Profile . . . . . . . . . . . . . . . . . . . . . . 15 5.3. ESRP Profile . . . . . . . . . . . . . . . . . . . . . . 16
5.3.1. Emergency Call Routing . . . . . . . . . . . . . . . 15 5.3.1. Emergency Call Routing . . . . . . . . . . . . . . . 16
5.3.2. Emergency Call Identification . . . . . . . . . . . . 15 5.3.2. Emergency Call Identification . . . . . . . . . . . . 16
5.3.3. SIP Emergency Call Signaling . . . . . . . . . . . . 16 5.3.3. SIP Emergency Call Signaling . . . . . . . . . . . . 17
6. Lower Layer Considerations for NAA Case . . . . . . . . . . . 16 6. Lower-Layer Considerations for NAA Case . . . . . . . . . . . 17
6.1. Link Layer Emergency Indication . . . . . . . . . . . . . 17 6.1. Link-Layer Emergency Indication . . . . . . . . . . . . . 18
6.2. Securing Network Attachment in NAA Cases . . . . . . . . 18 6.2. Securing Network Attachment in NAA Cases . . . . . . . . 19
7. Security Considerations . . . . . . . . . . . . . . . . . . . 19 7. Security Considerations . . . . . . . . . . . . . . . . . . . 20
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 20 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 21
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 8.1. Normative References . . . . . . . . . . . . . . . . . . 21
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 21 8.2. Informative References . . . . . . . . . . . . . . . . . 22
10.1. Normative References . . . . . . . . . . . . . . . . . . 21 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 24
10.2. Informative References . . . . . . . . . . . . . . . . . 22 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 25
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23
1. Introduction 1. Introduction
Summoning police, the fire department or an ambulance in emergencies Summoning police, the fire department, or an ambulance in emergencies
is one of the fundamental and most-valued functions of the telephone. is one of the fundamental and most-valued functions of the telephone.
As telephone functionality moves from circuit-switched telephony to As telephony functionality moves from circuit-switched telephony to
Internet telephony, its users rightfully expect that this core Internet telephony, its users rightfully expect that this core
functionality will continue to work at least as well as it has for functionality will continue to work at least as well as it has for
the older technology. New devices and services are being made the older technology. New devices and services are being made
available that could be used to make a request for help, those available that could be used to make a request for help; those
devices are not traditional telephones, and users are increasingly devices are not traditional telephones, and users are increasingly
expecting them to be used to place emergency calls. expecting them to be able to place emergency calls.
Roughly speaking, the IETF emergency services architecture (see Roughly speaking, the IETF emergency services architecture (see
[RFC6881] and [RFC6443]) divides responsibility for handling [RFC6881] and [RFC6443]) divides responsibility for handling
emergency calls among the access network (ISP); the application emergency calls among the access network (Internet Access Provider
service provider (ASP), which may be a VoIP service provider (VSP); (IAP) or ISP); the application service provider (ASP), which may be a
and the provider of emergency signaling services, the emergency VoIP service provider (VSP); and the provider of emergency signaling
service network (ESN). The access network may provide location services, the emergency service network (ESN). The access network
information to end systems, but does not have to provide any ASP may provide location information to end systems but does not have to
signaling functionality. The emergency caller can reach the ESN provide any ASP signaling functionality. The emergency caller can
either directly or through the ASP's outbound proxy. Any of the reach the ESN either directly or through the ASP's outbound proxy.
three parties can provide the mapping from location to PSAP URI by Any of the three parties can provide the mapping from location to the
offering LoST [RFC5222] services. Public Safety Answering Point (PSAP) URI by offering Location-to-
Service Translation (LoST) [RFC5222] services.
In general, a set of automated configuration mechanisms allows a In general, a set of automated configuration mechanisms allows a
device to function in a variety of architectures, without the user device to function in a variety of architectures, without the user
being aware of the details on who provides location, mapping services being aware of the details on who provides location, mapping
or call routing services. However, if emergency calling is to be services, or call-routing services. However, if emergency calling is
supported when the calling device lacks access network authorization to be supported when the calling device lacks access network
or does not have an ASP, one or more of the providers may need to authorization or does not have an ASP, one or more of the providers
provide additional services and functions. may need to provide additional services and functions.
In all cases, the end device has to be able to perform a LoST lookup In all cases, the end device has to be able to perform a LoST lookup
and otherwise conduct the emergency call in the same manner as when and otherwise conduct the emergency call in the same manner as when
the three exceptional conditions discussed below do not apply. the three exceptional conditions discussed below do not apply.
We distinguish among three conditions: We distinguish among three conditions:
No Access Authentication (NAA): In the NAA case, the emergency No Access Authentication (NAA): In the NAA case, the emergency
caller does not posses valid credentials for the access network. caller does not posses valid credentials for the access network.
This includes the case where the access network allows pay-per- This includes the case where the access network allows
use, as is common for wireless hotspots, but there is insufficient pay-per-use, as is common for wireless hotspots, but there is
time to enter credit card details and other registration insufficient time to enter credit card details and other
information required for access. It also covers all cases where registration information required for access. It also covers all
either no credentials are available at all, or the available cases where either no credentials are available at all or the
credentials do not work for the given IAP/ISP. As a result, the available credentials do not work for the given IAP/ISP. As a
NAA case basically combines the below NASP and ZBP cases, but at result, the NAA case basically combines the No ASP (NASP) and
the IAP/ISP level. Support for emergency call handling in the NAA zero-balance ASP (ZBP) cases below, but at the IAP/ISP level.
case is subject to the local policy of the ISP. Such policy may Support for emergency call handling in the NAA case is subject to
vary substantially between ISPs and typically depends on external the local policy of the ISP. Such policy may vary substantially
factors that are not under the ISP control. between ISPs and typically depends on external factors that are
not under the ISP control.
No ASP (NASP): The caller does not have an ASP at the time of the No ASP (NASP): The caller does not have an ASP at the time of the
call. This can occur either in case the caller does not possess call. This can occur in case the caller either does not possess
any valid subscription for a reachable ASP, or in case none of the any valid subscription for a reachable ASP or does possess a valid
ASPs where the caller owns a valid subscription is reachable subscription but none of the ASPs are reachable through the ISP.
through the ISP.
Note: The interoperability need is increased with this scenario Note: The interoperability need is increased with this scenario
since the client software used by the emergency caller must be since the client software used by the emergency caller must be
compatible with the protocols and extensions deployed by the ESN. compatible with the protocols and extensions deployed by the ESN.
Zero-balance ASP (ZBP): In the case of zero-balance ASP, the ASP can Zero-balance ASP (ZBP): In the case of a zero-balance ASP, the ASP
authenticate the caller, but the caller is not authorized to use can authenticate the caller, but the caller is not authorized to
ASP services, e.g., because the contract has expired or the use ASP services, e.g., because the contract has expired or the
prepaid account for the customer has been depleted. prepaid account for the customer has been depleted.
These three cases are not mutually exclusive. A caller in need of These three cases are not mutually exclusive. A caller in need of
help may, for example, be in a NAA and NASP situation, as explained help may, for example, be both in an NAA and NASP situation, as
in more detail in Figure 1. Depending on local policy and explained in more detail in Figure 1. Depending on local policy and
regulations, it may not be possible to place emergency calls in the regulations, it may not be possible to place emergency calls in the
NAA case. Unless local regulations require user identification, it NAA case. Unless local regulations require user identification, it
should always be possible to place calls in the NASP case, with should always be possible to place calls in the NASP case, with
minimal impact on the ISP. Unless the ESN requires that all calls minimal impact on the ISP. Unless the ESN requires that all calls
traverse a known set of VSPs, it is technically possible to let a traverse a known set of Voice Service Providers (VSPs), it is
caller place an emergency call in the ZBP case. We discuss each case technically possible to let a caller place an emergency call in the
in more details in Section 3. ZBP case. We discuss each case in more detail in Section 3.
As mentioned in the abstract some of the functionality provided in Some of the functionality provided in this document is already
this document is already available in the PSTN. Consequently, there available in the Public Switched Telephone Network (PSTN).
is real-world experience available and not all of it is positive. Consequently, there is real-world experience available and not all of
For example, the functionality of SIM-less calls in today's cellular it is positive. For example, the functionality of calls without
system has lead to a fair amount of hoax or test calls in certain Subscriber Identity Modules (SIMs) in today's cellular system has
countries. This causes overload situations at PSAPs, which is lead to a fair amount of hoax or test calls in certain countries.
considered harmful to the overall availability and reliability of
emergency services.
As an example, Federal Office of Communications (OFCOM, This causes overload situations at PSAPs, which is considered harmful
to the overall availability and reliability of emergency services.
As an example, the Federal Office of Communications (OFCOM,
Switzerland) provided statistics about emergency (112) calls in Switzerland) provided statistics about emergency (112) calls in
Switzerland from Jan. 1997 to Nov. 2001. Switzerland did not Switzerland from Jan. 1997 to Nov. 2001. Switzerland did not
offer SIM-less emergency calls except for almost a month in July offer SIM-less emergency calls except for almost a month in July
2000 where a significant increase in hoax and test calls was 2000 where a significant increase in hoax and test calls was
reported. As a consequence, the functionality was disabled again. reported. As a consequence, the functionality was disabled again.
More details can be found in the panel presentations of the 3rd More details can be found in the panel presentations of the 3rd
SDO Emergency Services Workshop [esw07]. Standards Development Organization (SDO) Emergency Services
Workshop [esw07].
2. Terminology 2. Terminology
In this document, the key words "MUST", "MUST NOT", "REQUIRED", In this document, the key words "MUST", "MUST NOT", "REQUIRED",
"SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
and "OPTIONAL" are to be interpreted as described in RFC 2119 and "OPTIONAL" are to be interpreted as described in [RFC2119].
[RFC2119].
This document reuses terminology from [RFC5687] and [RFC5012], namely This document reuses terminology from [RFC5687] and [RFC5012], namely
Internet Access Provider (IAP), Internet Service Provider (ISP), Internet Access Provider (IAP), Internet Service Provider (ISP),
Application Service Provider (ASP), Voice Service Provider (VSP), Application Service Provider (ASP), Voice Service Provider (VSP),
Emergency Service Routing Proxy (ESRP), Public Safety Answering Point Emergency Service Routing Proxy (ESRP), Public Safety Answering Point
(PSAP), Location Configuration Server (LCS), (emergency) service dial (PSAP), Location Configuration Server (LCS), (emergency) service dial
string, and (emergency) service identifier. string, and (emergency) service identifier.
3. Use Case Categories 3. Use-Case Categories
On a very high-level, the steps to be performed by an end host that An end host needs to perform the following steps if it is not
is not attached to the network and the user starting to make an attached to the network and the user is starting to place an
emergency call are the following: emergency call:
Link Layer Attachment: Some networks have added support for Link-Layer Attachment: Some networks have added support for
unauthenticated emergency access, some other type of networks unauthenticated emergency access while others have advertised
advertise these capabilities using layer beacons. The end host these capabilities using layer beacons (multicast or broadcast
learns about these unauthenticated emergency services capabilities announcements). The end host learns about these unauthenticated
either from the link layer type or from advertisement. emergency services capabilities from either the link layer type or
advertisement.
The end host uses the link layer specific network attachment The end host uses the link-layer-specific network attachment
procedures defined for unauthenticated network access in order to procedures defined for unauthenticated network access in order to
get access to the network. get access to the network.
Pre-Emergency Service Configuration: When the link layer network Pre-emergency Service Configuration: When the link-layer network
attachment procedure is completed the end host learns basic attachment procedure is completed, the end host learns basic
configuration information using DHCP from the ISP. The end host configuration information using DHCP from the ISP. The end host
uses a Location Configuration Protocol (LCP) to retrieve location uses a Location Configuration Protocol (LCP) to retrieve location
information. Subsequently, the LoST protocol [RFC5222] is used to information. Subsequently, the LoST protocol [RFC5222] is used to
learn the relevant emergency numbers, and to obtain the PSAP URI learn the relevant emergency numbers and to obtain the PSAP URI
applicable for that location. applicable for that location.
Emergency Call: In case of need for help, a user dials an emergency Emergency Call: In case of the need for help, a user dials an
number and the SIP UA initiates the emergency call procedures by emergency number and the SIP User Agent (UA) initiates the
communicating with the PSAP. emergency call procedures by communicating with the PSAP.
Figure 1 compiles the basic logic taking place during network entry Figure 1 compiles the basic logic taking place during network entry
for requesting an emergency service and shows the interrelation for requesting an emergency service and shows the interrelation
between the three conditions described in the above section. between the three conditions described earlier.
+-----Y +-----Y
|Start| |Start|
`...../ `...../
| |
| Are credentials | Are credentials
| for network attachment | for network attachment
| available? | available?
| |
NO v YES NO v YES
skipping to change at page 7, line 7 skipping to change at page 7, line 31
| Procedures | | Procedures | | Procedures | | Procedures |
+------------+ +------------+ +------------+ +------------+
| | | |
| | | |
v v v v
+-----Y +-----Y +-----Y +-----Y
| Done| | Done| | Done| | Done|
`...../ `...../ `...../ `...../
Abbreviations: Abbreviations:
LLA: Link Layer Attachment LLA: Link-Layer Attachment
ES: Emergency Services ES: Emergency Services
Figure 1: Flow Diagram: NAA, ZBP, and NSAP Scenarios. Figure 1: Flow Diagram: NAA, ZBP, and NSAP Scenarios
The diagrams below highlight the most important steps for the three The diagrams below highlight the most important steps for the three
cases. cases.
+-----Y +-----Y
|Start| |Start|
`...../ `...../
| |
| No | No
| credentials | credentials
skipping to change at page 7, line 38 skipping to change at page 8, line 31
"------------' "------------'
| |
| |
| |
v v
-- --
// -- // --
/ -- / --
// Is -- // Is --
/ emergency -- / emergency --
| service | NO +--------+ | service | NO +--------+
| network |------>| Call | | network |------>| Call |
| attachment | Failed | | attachment | Failed |
\ possible? / `......./ \ possible? / `......../
\ // \ //
\\ // \\ //
\ // \ //
\--/ \--/
| |
| YES | YES
| |
| |
v v
+------------+ +------------+
skipping to change at page 8, line 15 skipping to change at page 9, line 11
| NAA | | NAA |
| Procedures | | Procedures |
+------------+ +------------+
| |
| Network | Network
| attachment | attachment
| in progress | in progress
v v
/--\ Continue /--\ Continue
| | with | | with
| | application | | application-layer
\--/ layer interaction \--/ interaction
Figure 2: Flow Diagram: NAA Scenario. Figure 2: Flow Diagram: NAA Scenario
+-----+ +-----+
+------------|Start|-----------------+ +------------|Start|-----------------+
| `...../ | | `...../ |
v v v v
+------------+ +----------------+ +------------+ +----------------+
| NAA | | Regular | | NAA | | Regular |
| Procedures | | Network Access | | Procedures | | Network Access |
+------------+ | Procedures | +------------+ | Procedures |
| +----------------+ | +----------------+
skipping to change at page 8, line 44 skipping to change at page 10, line 4
| |
| |
Network Network
Attachment Attachment
Completed Completed
| |
| |
| |
| |
v v
+------------+ +---------+ +------------+ +---------+
| ASP | NO | See | | ASP | NO | See |
| Configured?|----->| main | | Configured?|----->| main |
+------------+ | diagram | +------------+ | diagram |
| `......../ | `........./
| |
| YES | YES
| |
v v
//---- //----
/ -- / --
// -- // --
/ - +---------+ / - +---------+
| Authorization| YES | See | | Authorization| YES | See |
| for making |------>| main | | for making |------>| main |
| ES call | | diagram | | ES call | | diagram |
\ with / `......../ \ with / `........./
\ VSP/ASP? // \ VSP/ASP? //
\\ // \\ //
\ // \ //
\--/ \--/
| |
| NO | NO
| |
| |
v v
+------------+ +------------+
skipping to change at page 9, line 35 skipping to change at page 10, line 44
| Procedures | | Procedures |
+------------+ +------------+
| |
| Call | Call
| in progress | in progress
| |
v v
+--------+ +--------+
| Call | | Call |
Success| Success|
`......./ `......../
Figure 3: Flow Diagram: ZBP Scenario.
Figure 3: Flow Diagram: ZBP Scenario
+-----+ +-----+
+------------|Start|-----------------+ +------------|Start|-----------------+
| `...../ | | `...../ |
v v v v
+------------+ +----------------+ +------------+ +----------------+
| NAA | | Regular | | NAA | | Regular |
| Procedures | | Network Access | | Procedures | | Network Access |
+------------+ | Procedures | +------------+ | Procedures |
| +----------------+ | +----------------+
| | | |
skipping to change at page 10, line 19 skipping to change at page 11, line 32
Completed Completed
| |
| |
| |
| |
v v
+------------+ +---------+ +------------+ +---------+
| ASP | YES | See | | ASP | YES | See |
| Configured?|----->| main | | Configured?|----->| main |
+------------+ | diagram | +------------+ | diagram |
| `......../ | `........./
| |
| NO | NO
| |
v v
+------------+ +------------+
| Execute | | Execute |
| NASP | | NASP |
| Procedures | | Procedures |
+------------+ +------------+
| |
| Call | Call
| in progress | in progress
| |
v v
+--------+ +--------+
| Call | | Call |
Success| | Success|
`......./ `......../
Figure 4: Flow Diagram: NASP Scenario
Figure 4: Flow Diagram: NASP Scenario.
The "No Access Authentication (NAA)" procedures are described in The NAA procedures are described in Section 6. The ZBP procedures
Section 6. The "Zero-balance ASP (ZBP)" procedures are described in are described in Section 4. The NASP procedures are described in
Section 4. The "No ASP (NASP)" procedures are described in
Section 5. The Phone BCP procedures are described in [RFC6881]. The Section 5. The Phone BCP procedures are described in [RFC6881]. The
"Link Layer Attachment (LLA)" procedures are not described in this LLA procedures are not described in this document since they are
document since they are specific to the link layer technology in use. specific to the link-layer technology in use.
4. ZBP Considerations 4. ZBP Considerations
ZBP includes all cases where a subscriber is known to an ASP, but ZBP includes all cases where a subscriber is known to an ASP but
lacks the necessary authorization to access regular ASP services. lacks the necessary authorization to access regular ASP services.
Example ZBP cases include empty prepaid accounts, barred accounts, Example ZBP cases include empty prepaid accounts, barred accounts,
roaming and mobility restrictions, or any other conditions set by ASP roaming and mobility restrictions, or any other conditions set by ASP
policy. policy.
Local regulation might demand that emergency calls cannot proceed Local regulation might demand that emergency calls cannot proceed
without successful service authorization. In regulatory regimes, without successful service authorization. In some regulatory
however, it may be possible to allow emergency calls to continue regimes, however, it may be possible to allow emergency calls to
despite authorization failures. To distinguish an emergency call continue despite authorization failures. To distinguish an emergency
from a regular call an ASP can identify emergency sessions by call from a regular call, an ASP can identify emergency sessions by
inspecting the service URN [RFC5031] used in call setup. The ZBP inspecting the service URN [RFC5031] used in call setup. The ZBP
case therefore only affects the ASP. case, therefore, only affects the ASP.
Permitting a call despite authorization failures could present an Permitting a call despite authorization failures could present an
opportunity for abuse. The ASP may choose to verify the destination opportunity for abuse. The ASP may choose to verify the destination
of the emergency calls and to only permit calls to certain, pre- of the emergency calls and to only permit calls to certain,
configured entities (e.g., to local PSAPs). Section 7 discusses this preconfigured entities (e.g., to local PSAPs). Section 7 discusses
topic in more detail. this topic in more detail.
An ASP without a regulatory requirement to authorize emergency calls An ASP without a regulatory requirement to authorize emergency calls
can deny emergency call setup. Where an ASP does not authorize an can deny emergency call setup. Where an ASP does not authorize an
emergency call, the caller may be able to fall back to NASP emergency call, the caller may be able to fall back to NASP
procedures. procedures.
5. NASP Considerations 5. NASP Considerations
To start the description we consider the sequence of steps that are To start the description, we consider the sequence of steps that are
executed in an emergency call based on Figure 5. executed in an emergency call based on Figure 5.
o As an initial step the devices attaches to the network as shown in o As an initial step, the devices attach to the network as shown in
step (1). This step is outside the scope of this section. step (1). This step is outside the scope of this section.
o When the link layer network attachment procedure is completed the o When the link-layer network attachment procedure is completed, the
end host learns basic IP configuration information using DHCP from end host learns basic IP configuration information using DHCP from
the ISP, as shown in step (2). the ISP, as shown in step (2).
o When the IP address configuration is completed then the end host o When the end host has configured the IP address, it starts an
starts an interaction with the discovered Location Configuration interaction with the discovered LCS at the ISP, as shown in step
Server at the ISP, as shown in step (3). The ISP may in certain (3). In certain deployments, the ISP may need to interact with
deployments need to interact with the IAP. This protocol exchange the IAP. This protocol exchange is shown in step (4).
is shown in step (4).
o Once location information is obtained the end host triggers the o Once location information is obtained, the end host triggers the
LoST protocol to obtain the address of the ESRP/PSAP. This step LoST protocol to obtain the address of the ESRP/PSAP. This is
is shown in (5). shown in step (5).
o In step (6), the SIP UA initiates a SIP INVITE towards the o In step (6), the SIP UA initiates a SIP INVITE request towards the
indicated ESRP. The INVITE message contains all the necessary indicated ESRP. The INVITE message contains all the necessary
parameters required by Section 5.1.5. parameters required by Section 5.1.5.
o The ESRP receives the INVITE and processes it according to the o The ESRP receives the INVITE and processes it according to the
description in Section 5.3.3. description in Section 5.3.3.
o The ESRP routes the call to the PSAP, as shown in (8), potentially o The ESRP routes the call to the PSAP, as shown in step (8),
interacting with a LoST server first to determine the route. potentially interacting with a LoST server first to determine the
route.
o The PSAP evaluates the initial INVITE and aims to complete the o The PSAP evaluates the initial INVITE and aims to complete the
call setup. call setup.
o Finally, when the call setup is completed media traffic can be o Finally, when the call setup is completed, media traffic can be
exchanged between the PSAP and the SIP UA. exchanged between the PSAP and the SIP UA.
For editorial reasons the end-to-end SIP and media exchange between For brevity, the end-to-end SIP and media exchange between the PSAP
the PSAP and SIP UA are not shown in Figure 5. and SIP UA are not shown in Figure 5.
+-------+ +-------+
| PSAP | | PSAP |
| | | |
+-------+ +-------+
^ ^
| (8) | (8)
| |
+----------+(7) +----------+ +----------+(7) +----------+
| LoST |<-->| ESRP | | LoST |<-->| ESRP |
skipping to change at page 13, line 29 skipping to change at page 14, line 29
|+----------+ | | +----------+| |+----------+ | | +----------+|
|| LCS-ISP | (3)| | | DHCP || || LCS-ISP | (3)| | | DHCP ||
|| |<-+ | | | Server || || |<-+ | | | Server ||
|+----------+ | | | +----------+| |+----------+ | | | +----------+|
+-------^------+-+----------------|-----------^--+ +-------^------+-+----------------|-----------^--+
+-------|------+-+----------------|-----------|--+ +-------|------+-+----------------|-----------|--+
| IAP | (4) | |(5) | | | | IAP | (4) | |(5) | | |
| V | | | | | | V | | | | |
|+----------+ | | | | | |+----------+ | | | | |
|| LCS-IAP | | | +--------+ | | | || LCS-IAP | | | +--------+ | | |
|| | | | | Link | |(6) | | || | | | | Link- | |(6) | |
|+----------+ | | | Layer | | | | |+----------+ | | | Layer | | | |
| | | | Device | | (2)| | | | | | Device | | (2)| |
| | | +--------+ | | | | | | +--------+ | | |
| | | ^ | | | | | | ^ | | |
| | | | | | | | | | | | | |
+--------------+-|-------|--------|-----------|--+ +--------------+-|-------|--------|-----------|--+
| | | | | | | | | |
| | (1)| | | | | (1)| | |
| | | | | | | | | |
| | | +----+ | | | | +----+ |
skipping to change at page 14, line 5 skipping to change at page 15, line 5
| | +----------+ | | | +----------+ |
| +->| End |<-------------+ | +->| End |<-------------+
+___>| Host | +___>| Host |
+----------+ +----------+
Figure 5: Architectural Overview Figure 5: Architectural Overview
Note: Figure 5 does not indicate who operates the ESRP and the LoST Note: Figure 5 does not indicate who operates the ESRP and the LoST
server. Various deployment options exist. server. Various deployment options exist.
5.1. End Host Profile 5.1. End-Host Profile
5.1.1. LoST Server Discovery 5.1.1. LoST Server Discovery
The end host MUST discover a LoST server [RFC5222] using DHCP The end host MUST discover a LoST server [RFC5222] using DHCP
[RFC5223] unless a LoST server has been provisioned using other [RFC5223] unless a LoST server has been provisioned using other
means. means.
5.1.2. ESRP Discovery 5.1.2. ESRP Discovery
The end host MUST discover the ESRP using the LoST protocol [RFC5222] The end host MUST discover the ESRP using the LoST protocol [RFC5222]
unless a ESRP has been provisioned using other means. unless a ESRP has been provisioned using other means.
5.1.3. Location Determination and Location Configuration 5.1.3. Location Determination and Location Configuration
The end host MUST support location acquisition and the LCPs described The end host MUST support location acquisition and the LCPs described
in Section 6.5 of [RFC6881]. The description in Section 6.5 and 6.6 in Section 6.5 of [RFC6881]. The description in Sections 6.5 and 6.6
of [RFC6881] regarding the interaction between the device and the LIS of [RFC6881] regarding the interaction between the device and the
applies to this document. Location Information Server (LIS) applies to this document.
The SIP UA in the end host MUST attach available location information The SIP UA in the end host MUST attach available location information
in a PIDF-LO [RFC4119] when making an emergency call. When in a Presence Information Data Format Location Object (PIDF-LO)
constructing the PIDF-LO the guidelines in PIDF-LO profile [RFC5491] [RFC4119] when making an emergency call. When constructing the
MUST be followed. For civic location information the format defined PIDF-LO, the guidelines in the PIDF-LO profile [RFC5491] MUST be
in [RFC5139] MUST be supported. followed. For civic location information, the format defined in
[RFC5139] MUST be supported.
5.1.4. Emergency Call Identification 5.1.4. Emergency Call Identification
To determine which calls are emergency calls, some entity needs to To determine which calls are emergency calls, some entity needs to
map a user entered dialstring into this URN scheme. A user may map a user-entered dial string into this URN scheme. A user may
"dial" 1-1-2, 9-1-1, etc., but the call would be sent to "dial" 1-1-2, 9-1-1, etc., but the call would be sent to
urn:service:sos. This mapping SHOULD be performed at the endpoint urn:service:sos. This mapping SHOULD be performed at the endpoint
device. device.
End hosts MUST use the Service URN mechanism [RFC5031] to mark calls End hosts MUST use the Service URN mechanism [RFC5031] to mark calls
as emergency calls for their home emergency dial string. as emergency calls for their home emergency dial string.
5.1.5. SIP Emergency Call Signaling 5.1.5. SIP Emergency Call Signaling
SIP signaling capabilities [RFC3261] are REQUIRED for end hosts. SIP signaling capabilities [RFC3261] are REQUIRED for end hosts.
The initial SIP signaling method is an INVITE. The SIP INVITE The initial SIP signaling method is an INVITE. The SIP INVITE
request MUST be constructed according to the requirements in request MUST be constructed according to the requirements in
Section 9.2 [RFC6881]. Section 9.2 of [RFC6881].
Regarding callback behavior SIP UAs SHOULD place a globally routable To enable callbacks, SIP UAs SHOULD place a globally routable URI in
URI in a Contact: header. a Contact header field.
5.1.6. Media 5.1.6. Media
End points MUST comply with the media requirements for end points Endpoints MUST comply with the media requirements for endpoints
placing an emergency call found in Section 14 of [RFC6881]. placing an emergency call as described in Section 14 of [RFC6881].
5.1.7. Testing 5.1.7. Testing
The description in Section 15 of [RFC6881] is fully applicable to The description in Section 15 of [RFC6881] is fully applicable to
this document. this document.
5.2. IAP/ISP Profile 5.2. IAP/ISP Profile
5.2.1. ESRP Discovery 5.2.1. ESRP Discovery
An ISP MUST provision a DHCP server with information about LoST An ISP MUST provision a DHCP server with information about LoST
servers [RFC5223]. An ISP operator may choose to deploy a LoST servers [RFC5223]. An ISP operator may choose to deploy a LoST
server or to outsource it to other parties. server or to outsource it to other parties.
5.2.2. Location Determination and Location Configuration 5.2.2. Location Determination and Location Configuration
The ISP is responsible for location determination and exposes this The ISP is responsible for location determination and exposes this
information to the end points via location configuration protocols. information to the endpoints via location configuration protocols.
The considerations described in [RFC6444] are applicable to this The considerations described in [RFC6444] are applicable to this
document. document.
The ISP MUST support one of the LCPs described in Section 6.5 of The ISP MUST support one of the LCPs described in Section 6.5 of
[RFC6881]. The description in Section 6.5 and 6.6 of [RFC6881] [RFC6881]. The description in Sections 6.5 and 6.6 of [RFC6881]
regarding the interaction between the end device and the LIS applies regarding the interaction between the end device and the LIS applies
to this document. to this document.
The interaction between the LIS at the ISP and the IAP is often The interaction between the LIS at the ISP and the IAP is often
priorietary but the description in proprietary, but the description in [LIS] may be relevant to the
[I-D.winterbottom-geopriv-lis2lis-req] may be relevant to the reader. reader.
5.3. ESRP Profile 5.3. ESRP Profile
5.3.1. Emergency Call Routing 5.3.1. Emergency Call Routing
The ESRP continues to route the emergency call to the PSAP The ESRP continues to route the emergency call to the PSAP
responsible for the physical location of the end host. This may responsible for the physical location of the end host. This may
require further interactions with LoST servers but depends on the require further interactions with LoST servers but depends on the
specific deployment. specific deployment.
skipping to change at page 16, line 14 skipping to change at page 17, line 14
5.3.3. SIP Emergency Call Signaling 5.3.3. SIP Emergency Call Signaling
SIP signaling capabilities [RFC3261] are REQUIRED for the ESRP. The SIP signaling capabilities [RFC3261] are REQUIRED for the ESRP. The
ESRP MUST process the messages sent by the client, according to ESRP MUST process the messages sent by the client, according to
Section 5.1.5. Section 5.1.5.
Furthermore, if a PSAP wants to support NASP calls, then it MUST NOT Furthermore, if a PSAP wants to support NASP calls, then it MUST NOT
restrict incoming calls to a particular set of ASPs. restrict incoming calls to a particular set of ASPs.
6. Lower Layer Considerations for NAA Case 6. Lower-Layer Considerations for NAA Case
Some networks have added support for unauthenticated emergency Some networks have added support for unauthenticated emergency access
access, some other type of networks advertise these capabilities while others have advertised these capabilities using layer beacons.
using layer beacons. The end host learns about these unauthenticated The end host learns about these unauthenticated emergency services
emergency services capabilities either from the link layer type or capabilities either from the link-layer type or from advertisement.
from advertisement.
It is important to highlight that the NAA case is inherently a layer It is important to highlight that the NAA case is inherently a Layer
2 problem, and the general form of the solution is to provide an 2 problem, and the general form of the solution is to provide an
"emergency only" access type, with appropriate limits/monitoring to "emergency only" access type, with appropriate limits or monitoring
prevent abuse. The described mechanisms are informative in nature to prevent abuse. The described mechanisms are informative in nature
since the relationship to the IETF emergency services architecture is since the relationship to the IETF emergency services architecture is
only indirect, namely via some protocols developed within the IETF only indirect, namely via some protocols developed within the IETF
(e.g., EAP and EAP methods) that require extensions to support this (e.g., EAP and EAP methods) that require extensions to support this
functionality. functionality.
This section discusses different methods to indicate an emergency This section discusses different methods to indicate an emergency
service request as part of network attachment. It provides some service request as part of network attachment. It provides some
general considerations and recommendations that are not specific to general considerations and recommendations that are not specific to
the access technology. the access technology.
To perform network attachment and get access to the resources To perform network attachment and get access to the resources
provided by an IAP/ISP, the end host uses access technology specific provided by an IAP/ISP, the end host uses access technology-specific
network attachment procedures, including for example network network attachment procedures, including, for example, network
detection and selection, authentication, and authorization. For detection and selection, authentication, and authorization. For
initial network attachment of an emergency service requester, the initial network attachment of an emergency service requester, the
method of how the emergency indication is given to the IAP/ISP is method of how the emergency indication is given to the IAP/ISP is
specific to the access technology. However, a number of general specific to the access technology. However, a number of general
approaches can be identified: approaches can be identified:
Link layer emergency indication: The end host provides an Link-layer emergency indication: The end host provides an
indication, e.g., an emergency parameter or flag, as part of the indication, e.g., an emergency parameter or flag, as part of the
link layer signaling for initial network attachment. Examples link-layer signaling for initial network attachment. Examples
include an emergency bit signalled in the IEEE 802.16-2009 include an emergency bit signaled in the IEEE 802.16-2009 wireless
wireless link. In IEEE 802.11 WLAN, an emergency support link. In IEEE 802.11 WLAN [IEEE802.11], an emergency support
indicator allows the station (i.e., end host in this context) to indicator allows the station (i.e., end host in this context) to
download before association a Network Access Identifier (NAI), download before association to a Network Access Identifier (NAI),
which it can use to request server side authentication only for an which it can use to request server-side authentication only for an
802.1x network. IEEE 802.1X network.
Higher-layer emergency indication: Typically, emergency indication Higher-layer emergency indication: Typically, emergency indication
is provided in the network access authentication procedure. The is provided in the network access authentication procedure. The
emergency caller's end host provides an indication as part of the emergency caller's end host provides an indication as part of the
access authentication exchanges. Authentication via the access authentication exchanges. Authentication via the EAP
Extensible Authentication Protocol (EAP) [RFC3748] is of [RFC3748] is of particular relevance here. Examples are the EAP
particular relevance here. Examples are the EAP NAI decoration NAI decoration used in Worldwide Interoperability for Microwave
used in WiMAX networks and modification of the authentication Access (WiMAX) networks and modification of the authentication
exchange in IEEE 802.11. [nwgstg3]. exchange in IEEE 802.11 [nwgstg3].
6.1. Link Layer Emergency Indication 6.1. Link-Layer Emergency Indication
In general, link layer emergency indications provide good integration In general, link-layer emergency indications provide good integration
into the actual network access procedure regarding the enabling of into the actual network access procedure regarding the enabling of
means to recognize and prioritize an emergency service request from means to recognize and prioritize an emergency service request from
an end host at a very early stage of the network attachment an end host at a very early stage of the network attachment
procedure. However, support in end hosts for such methods cannot be procedure. However, support in end hosts for such methods cannot be
considered to be commonly available. considered to be commonly available.
No general recommendations are given in the scope of this memo due to No general recommendations are given in the scope of this memo due to
the following reasons: the following reasons:
o Dependency on the specific access technology. o Dependency on the specific access technology.
o Dependency on the specific access network architecture. Access o Dependency on the specific access network architecture. Access
authorization and policy decisions typically happen at a different authorization and policy decisions typically happen at different
layers of the protocol stack and in different entities than those layers of the protocol stack and in different entities than those
terminating the link-layer signaling. As a result, link layer terminating the link-layer signaling. As a result, link-layer
indications need to be distributed and translated between the indications need to be distributed and translated between the
different involved protocol layers and entities. Appropriate different protocol layers and entities involved. Appropriate
methods are specific to the actual architecture of the IAP/ISP methods are specific to the actual architecture of the IAP/ISP
network. network.
o An advantage of combining emergency indications with the actual o An advantage of combining emergency indications with the actual
network attachment procedure performing authentication and network attachment procedure performing authentication and
authorization is the fact that the emergency indication can authorization is the fact that the emergency indication can
directly be taken into account in the authentication and directly be taken into account in the authentication and
authorization server that owns the policy for granting access to authorization server that owns the policy for granting access to
the network resources. As a result, there is no direct dependency the network resources. As a result, there is no direct dependency
on the access network architecture that otherwise would need to on the access network architecture that otherwise would need to
take care of merging link-layer indications into the AA and policy take care of merging link-layer indications into the
decision process. authentication, authorization, and policy decision process.
o EAP signaling happens at a relatively early stage of network o EAP signaling happens at a relatively early stage of network
attachment, so it is likely to match most requirements for attachment, so it is likely to match most requirements for
prioritization of emergency signaling. However, it does not cover prioritization of emergency signaling. However, it does not cover
early stages of link layer activity in the network attachment early stages of link-layer activity in the network attachment
process. Possible conflicts may arise e.g. in case of MAC-based process. Possible conflicts may arise, e.g., in case of filtering
filtering in entities terminating the link-layer signaling in the based on Media Access Control (MAC) in entities terminating link-
network (like a base station). In normal operation, EAP related layer signaling in the network (like a base station). In normal
information will only be recognized in the NAS. Any entity operation, EAP-related information will only be recognized in the
residing between end host and NAS should not be expected to Network Access Server (NAS). Any entity residing between the end
understand/parse EAP messages. host and NAS should not be expected to understand/parse EAP
messages.
o An emergency indication can be given by forming a specific NAI o An emergency indication can be given by forming a specific NAI
that is used as the identity in EAP based authentication for that is used as the identity in EAP-based authentication for
network entry. network entry.
6.2. Securing Network Attachment in NAA Cases 6.2. Securing Network Attachment in NAA Cases
For network attachment in NAA cases, it may make sense to secure the For network attachment in NAA cases, it may make sense to secure the
link-layer connection between the device and the IAP/ISP. This link-layer connection between the device and the IAP/ISP. This
especially holds for wireless access with examples being IEEE 802.11 especially holds for wireless access with examples being access based
or IEEE 802.16 based access. The latter even mandates secured on IEEE 802.11 or IEEE 802.16. The latter even mandates secured
communication across the wireless link for all IAP/ISP networks based communication across the wireless link for all IAP/ISP networks based
on [nwgstg3]. on [nwgstg3].
Therefore, for network attachment that is by default based on EAP Therefore, for network attachment that is by default based on EAP
authentication it is desirable also for NAA network attachment to use authentication, it is desirable also for NAA network attachment to
a key-generating EAP method (that provides an MSK key to the use a key-generating EAP method (that provides a Master Session Key
authenticator to bootstrap further key derivation for protecting the (MSK) to the authenticator to bootstrap further key derivation for
wireless link). protecting the wireless link).
The following approaches to match the above can be identified: To match the above, the following approaches can be identified:
1) Server-only Authentication: 1) Server-Only Authentication:
The device of the emergency service requester performs an EAP The device of the emergency service requester performs an EAP
method with the IAP/ISP EAP server that performs server side method with the IAP/ISP EAP server that performs server-side
authentication only. An example for this is EAP-TLS [RFC5216]. authentication only. An example for this is EAP-TLS [RFC5216].
This provides a certain level of assurance about the IAP/ISP to This provides a certain level of assurance about the IAP/ISP to
the device user. It requires the device to be provisioned with the device user. It requires the device to be provisioned with
appropriate trusted root certificates to be able to verify the appropriate trusted root certificates to be able to verify the
server certificate of the EAP server (unless this step is server certificate of the EAP server (unless this step is
explicitly skipped in the device in case of an emergency service explicitly skipped in the device in case of an emergency service
request). This method is used to provide access of devices request). This method is used to provide access of devices
without existing credentials to an 802.1x network. The details without existing credentials to an IEEE 802.1X network. The
are incorporated into the not yet published 802.11-2011 details are incorporated in the IEEE 802.11-2012 specification
specification. [IEEE802.11].
2) Null Authentication: 2) Null Authentication:
In one case (e.g., WiMAX) an EAP method is performed. However, no In one case (e.g., WiMAX), an EAP method is performed. However,
credentials specific to either the server or the device or no credentials specific to either the server or the device or
subscription are used as part of the authentication exchange. An subscription are used as part of the authentication exchange. An
example for this would be an EAP-TLS exchange with using the example for this would be an EAP-TLS exchange using the
TLS_DH_anon (anonymous) ciphersuite. Alternatively, a publicly TLS_DH_anon (anonymous) ciphersuite. Alternatively, a publicly
available static key for emergency access could be used. In the available static key for emergency access could be used. In the
latter case, the device would need to be provisioned with the latter case, the device would need to be provisioned with the
appropriate emergency key for the IAP/ISP in advance. In another appropriate emergency key for the IAP/ISP in advance. In another
case (e.g., IEEE 802.11), no EAP method is used, so that empty case (e.g., IEEE 802.11), no EAP method is used, so that empty
frames are transported during the over the air IEEE 802.1X frames are transported during the over-the-air IEEE 802.1X
exchange. In this case the authentication state machine completes exchange. In this case, the authentication state machine
with no cryptographic keys being exchanged. completes with no cryptographic keys being exchanged.
3) Device Authentication: 3) Device Authentication:
This case extends the server-only authentication case. If the This case extends the server-only authentication case. If the
device is configured with a device certificate and the IAP/ISP EAP device is configured with a device certificate and the IAP/ISP EAP
server can rely on a trusted root allowing the EAP server to server can rely on a trusted root allowing the EAP server to
verify the device certificate, at least the device identity (e.g., verify the device certificate, at least the device identity (e.g.,
the MAC address) can be authenticated by the IAP/ISP in NAA cases. the MAC address) can be authenticated by the IAP/ISP in NAA cases.
An example for this are WiMAX devices that are shipped with device An example for this is WiMAX devices that are shipped with device
certificates issued under the global WiMAX device public-key certificates issued under the global WiMAX device public-key
infrastructure. To perform unauthenticated emergency calls, if infrastructure. To perform unauthenticated emergency calls, if
allowed by the IAP/ISP, such devices perform EAP-TLS based network allowed by the IAP/ISP, such devices perform network attachment
attachment with client authentication based on the device based on EAP-TLS with client authentication based on the device
certificate. certificate.
7. Security Considerations 7. Security Considerations
The security threats discussed in [RFC5069] are applicable to this The security threats discussed in [RFC5069] are applicable to this
document. document.
There are a couple of new vulnerabilities raised with unauthenticated The NASP and NAA cases introduce new vulnerabilities since the PSAP
emergency services in NASP/NAA cases since the PSAP operator will operator will typically not have any information about the identity
typically not possess any identity information about the emergency of the caller via the signaling path. Today, in countries where this
caller via the signaling path itself. In countries where this functionality is used for Global System for Mobile Communications
functionality is used for GSM networks today this has lead to a (GSM) networks, this has lead to a significant amount of misuse.
significant amount of misuse.
In the context of NAA, the IAP and the ISP will probably want to make In the context of NAA, the IAP and the ISP will probably want to make
sure that the claimed emergency caller indeed performs an emergency sure that the claimed emergency caller indeed performs an emergency
call rather than using the network for other purposes, and thereby call rather than using the network for other purposes, and thereby
acting fraudulent by skipping any authentication, authorization and acting fraudulent by skipping any authentication, authorization, and
accounting procedures. By restricting access of the unauthenticated accounting procedures. By restricting access of the unauthenticated
emergency caller to the LoST server and the PSAP URI, traffic can be emergency caller to the LoST server and the PSAP URI, traffic can be
restricted only to emergency calls. This can be accomplished with restricted only to emergency calls. This can be accomplished with
traffic separation. The details, however, e.g. for using filtering, traffic separation. However, the details, e.g., for using filtering,
depend on the deployed ISP architecture and are beyond the scope of depend on the deployed ISP architecture and are beyond the scope of
this document. this document.
We only illustrate a possible model. If the ISP runs its own We only illustrate a possible model. If the ISP runs its own
(caching) LoST server, the ISP would maintain an access control list (caching) LoST server, the ISP would maintain an access control list
populated with IP-address information obtained from LoST responses populated with IP-address information obtained from LoST responses
(in the mappings). These URIs would either be URIs for contacting (in the mappings). These URIs would either be URIs for contacting
further LoST servers or PSAP URIs. It may be necessary to translate further LoST servers or PSAP URIs. It may be necessary to translate
domain names returned in LoST responses to IP addresses. Since the domain names returned in LoST responses to IP addresses. Since the
media destination addresses are not predictable, the ISP also has to media destination addresses are not predictable, the ISP also has to
provide a SIP outbound proxy so that it can determine the media provide a SIP outbound proxy so that it can determine the media
addresses and add those to the filter list. addresses and add those to the filter list.
For the ZBP case the additional aspect of fraud has to be considered. For the ZBP case, the additional aspect of fraud has to be
Unless the emergency call traverses a PSTN gateway or the ASP charges considered. Unless the emergency call traverses a PSTN gateway or
for IP-to-IP calls, there is little potential for fraud. If the ASP the ASP charges for IP-to-IP calls, there is little potential for
also operates the LoST server, the outbound proxy MAY restrict fraud. If the ASP also operates the LoST server, the outbound proxy
outbound calls to the SIP URIs returned by the LoST server. It is MAY restrict outbound calls to the SIP URIs returned by the LoST
NOT RECOMMENDED to rely on a fixed list of SIP URIs, as that list may server. It is NOT RECOMMENDED to rely on a fixed list of SIP URIs,
change. as that list may change.
RFC 6280 [RFC6280] discusses security vulnerabilities that are caused RFC 6280 [RFC6280] discusses security vulnerabilities that are caused
by an adversary faking location information and thereby lying about by an adversary faking location information and thereby lying about
the actual location of the emergency caller. These threats may be the actual location of the emergency caller. These threats may be
less problematic in the context of unauthenticated emergency when less problematic in the context of an unauthenticated emergency when
location information can be verified by the ISP to fall within a location information can be verified by the ISP to fall within a
specific geographical area. specific geographical area.
8. Acknowledgments 8. References
Parts of this document are derived from [RFC6881]. Participants of
the 2nd and 3rd SDO Emergency Services Workshop provided helpful
input.
We would like to thank Richard Barnes, Brian Rosen, James Polk, Marc
Linsner, and Martin Thomson for their feedback at the IETF#80 ECRIT
meeting.
Furthermore, we would like to thank Martin Thomson and Bernard Aboba
for their detailed document review in preparation of the 81st IETF
meeting. Alexey Melnikov was the General Area (Gen-Art) reviewer. A
number of changes to the document had been made in response to the AD
review by Richard Barnes.
We would also like to thank review comments from various IESG
members, including Stephen Farrell, Barry Leiba, Pete Resnick,
Spencer Dawkins, Joel Jaeggli, and Ted Lemon.
9. IANA Considerations 8.1. Normative References
This document does not require actions by IANA. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
10. References [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261,
June 2002, <http://www.rfc-editor.org/info/rfc3261>.
10.1. Normative References [RFC4119] Peterson, J., "A Presence-based GEOPRIV Location Object
Format", RFC 4119, December 2005,
<http://www.rfc-editor.org/info/rfc4119>.
[RFC5031] Schulzrinne, H., "A Uniform Resource Name (URN) for [RFC5031] Schulzrinne, H., "A Uniform Resource Name (URN) for
Emergency and Other Well-Known Services", RFC 5031, Emergency and Other Well-Known Services", RFC 5031,
January 2008. January 2008, <http://www.rfc-editor.org/info/rfc5031>.
[RFC4119] Peterson, J., "A Presence-based GEOPRIV Location Object
Format", RFC 4119, December 2005.
[RFC5491] Winterbottom, J., Thomson, M., and H. Tschofenig, "GEOPRIV
Presence Information Data Format Location Object (PIDF-LO)
Usage Clarification, Considerations, and Recommendations",
RFC 5491, March 2009.
[RFC5139] Thomson, M. and J. Winterbottom, "Revised Civic Location [RFC5139] Thomson, M. and J. Winterbottom, "Revised Civic Location
Format for Presence Information Data Format Location Format for Presence Information Data Format Location
Object (PIDF-LO)", RFC 5139, February 2008. Object (PIDF-LO)", RFC 5139, February 2008,
<http://www.rfc-editor.org/info/rfc5139>.
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261,
June 2002.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC6881] Rosen, B. and J. Polk, "Best Current Practice for
Communications Services in Support of Emergency Calling",
BCP 181, RFC 6881, March 2013.
[RFC5222] Hardie, T., Newton, A., Schulzrinne, H., and H. [RFC5222] Hardie, T., Newton, A., Schulzrinne, H., and H.
Tschofenig, "LoST: A Location-to-Service Translation Tschofenig, "LoST: A Location-to-Service Translation
Protocol", RFC 5222, August 2008. Protocol", RFC 5222, August 2008,
<http://www.rfc-editor.org/info/rfc5222>.
[RFC5223] Schulzrinne, H., Polk, J., and H. Tschofenig, "Discovering [RFC5223] Schulzrinne, H., Polk, J., and H. Tschofenig, "Discovering
Location-to-Service Translation (LoST) Servers Using the Location-to-Service Translation (LoST) Servers Using the
Dynamic Host Configuration Protocol (DHCP)", RFC 5223, Dynamic Host Configuration Protocol (DHCP)", RFC 5223,
August 2008. August 2008, <http://www.rfc-editor.org/info/rfc5223>.
10.2. Informative References [RFC5491] Winterbottom, J., Thomson, M., and H. Tschofenig, "GEOPRIV
Presence Information Data Format Location Object (PIDF-LO)
Usage Clarification, Considerations, and Recommendations",
RFC 5491, March 2009,
<http://www.rfc-editor.org/info/rfc5491>.
[RFC5687] Tschofenig, H. and H. Schulzrinne, "GEOPRIV Layer 7 [RFC6881] Rosen, B. and J. Polk, "Best Current Practice for
Location Configuration Protocol: Problem Statement and Communications Services in Support of Emergency Calling",
Requirements", RFC 5687, March 2010. BCP 181, RFC 6881, March 2013,
<http://www.rfc-editor.org/info/rfc6881>.
[RFC6443] Rosen, B., Schulzrinne, H., Polk, J., and A. Newton, 8.2. Informative References
"Framework for Emergency Calling Using Internet
Multimedia", RFC 6443, December 2011.
[RFC5012] Schulzrinne, H. and R. Marshall, "Requirements for [IEEE802.11]
Emergency Context Resolution with Internet Technologies", IEEE, "IEEE Standard for Information Technology -
RFC 5012, January 2008. Telecommunications and information exchange between
systems - Local and metropolitan area networks - Specific
requirements Part 11: Wireless LAN Medium Access Control
(MAC) and Physical Layer (PHY) Specifications", IEEE Std
802.11-2012, March 2012,
<http://standards.ieee.org/about/get/802/802.11.html>.
[RFC6444] Schulzrinne, H., Liess, L., Tschofenig, H., Stark, B., and [LIS] Winterbottom, J. and S. Norreys, "LIS to LIS Protocol
A. Kuett, "Location Hiding: Problem Statement and Requirements", Work in Progress, draft-winterbottom-
Requirements", RFC 6444, January 2012. geopriv-lis2lis-req-01, November 2007.
[I-D.winterbottom-geopriv-lis2lis-req] [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H.
Winterbottom, J. and S. Norreys, "LIS to LIS Protocol Levkowetz, "Extensible Authentication Protocol (EAP)", RFC
Requirements", draft-winterbottom-geopriv-lis2lis-req-01 3748, June 2004, <http://www.rfc-editor.org/info/rfc3748>.
(work in progress), November 2007.
[RFC5012] Schulzrinne, H. and R. Marshall, "Requirements for
Emergency Context Resolution with Internet Technologies",
RFC 5012, January 2008,
<http://www.rfc-editor.org/info/rfc5012>.
[RFC5069] Taylor, T., Tschofenig, H., Schulzrinne, H., and M. [RFC5069] Taylor, T., Tschofenig, H., Schulzrinne, H., and M.
Shanmugam, "Security Threats and Requirements for Shanmugam, "Security Threats and Requirements for
Emergency Call Marking and Mapping", RFC 5069, January Emergency Call Marking and Mapping", RFC 5069, January
2008. 2008, <http://www.rfc-editor.org/info/rfc5069>.
[RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H.
Levkowetz, "Extensible Authentication Protocol (EAP)", RFC
3748, June 2004.
[RFC5216] Simon, D., Aboba, B., and R. Hurst, "The EAP-TLS [RFC5216] Simon, D., Aboba, B., and R. Hurst, "The EAP-TLS
Authentication Protocol", RFC 5216, March 2008. Authentication Protocol", RFC 5216, March 2008,
<http://www.rfc-editor.org/info/rfc5216>.
[RFC5687] Tschofenig, H. and H. Schulzrinne, "GEOPRIV Layer 7
Location Configuration Protocol: Problem Statement and
Requirements", RFC 5687, March 2010,
<http://www.rfc-editor.org/info/rfc5687>.
[RFC6280] Barnes, R., Lepinski, M., Cooper, A., Morris, J., [RFC6280] Barnes, R., Lepinski, M., Cooper, A., Morris, J.,
Tschofenig, H., and H. Schulzrinne, "An Architecture for Tschofenig, H., and H. Schulzrinne, "An Architecture for
Location and Location Privacy in Internet Applications", Location and Location Privacy in Internet Applications",
BCP 160, RFC 6280, July 2011. BCP 160, RFC 6280, July 2011,
<http://www.rfc-editor.org/info/rfc6280>.
[esw07] "3rd SDO Emergency Services Workshop, [RFC6443] Rosen, B., Schulzrinne, H., Polk, J., and A. Newton,
http://www.emergency-services-coordination.info/2007Nov/", "Framework for Emergency Calling Using Internet
October 30th - November 1st 2007. Multimedia", RFC 6443, December 2011,
<http://www.rfc-editor.org/info/rfc6443>.
[nwgstg3] "WiMAX Forum WMF-T33-001-R015V01, WiMAX Network [RFC6444] Schulzrinne, H., Liess, L., Tschofenig, H., Stark, B., and
Architecture Stage-3 A. Kuett, "Location Hiding: Problem Statement and
http://www.wimaxforum.org/sites/wimaxforum.org/files/ Requirements", RFC 6444, January 2012,
technical_document/2009/09/DRAFT-T33-001-R015v01- <http://www.rfc-editor.org/info/rfc6444>.
O_Network-Stage3-Base.pdf", September 2009.
[esw07] "3rd Standards Development Organziations (SDO) Emergency
Services Workshop", October 30th - November 1st 2007,
<http://www.emergency-services-
coordination.info/2007Nov/>.
[nwgstg3] WiMAX Forum, "WiMAX Forum Network Architecture - Detailed
Protocols and Procedures Base Specification", Stage-3 WMF-
T33-001-R022V02, April 2014, <http://resources.wimaxforum.
org/sites/wimaxforum.org/files/technical_document/2014/05/
WMF-T33-001-R022v02_Network-Stage3-Base.pdf>.
Acknowledgments
Parts of this document are derived from [RFC6881]. Participants of
the 2nd and 3rd SDO Emergency Services Workshop provided helpful
input.
We would like to thank Richard Barnes, Marc Linsner, James Polk,
Brian Rosen, and Martin Thomson for their feedback at the IETF#80
Emergency Context Resolution with Internet Technology (ECRIT)
meeting.
Furthermore, we would like to thank Martin Thomson and Bernard Aboba
for their detailed document review in preparation of the 81st IETF
meeting. Alexey Melnikov was the General Area (Gen-Art) reviewer. A
number of changes to the document had been made in response to the AD
review by Richard Barnes.
Various IESG members provided review comments, including Spencer
Dawkins, Stephen Farrell, Joel Jaeggli, Barry Leiba, Ted Lemon, and
Pete Resnick.
Authors' Addresses Authors' Addresses
Henning Schulzrinne Henning Schulzrinne
Columbia University Columbia University
Department of Computer Science Department of Computer Science
450 Computer Science Building 450 Computer Science Building
New York, NY 10027 New York, NY 10027
US United States
Phone: +1 212 939 7004 Phone: +1 212 939 7004
Email: hgs+ecrit@cs.columbia.edu EMail: hgs+ecrit@cs.columbia.edu
URI: http://www.cs.columbia.edu URI: http://www.cs.columbia.edu
Stephen McCann Stephen McCann
Research in Motion UK Ltd BlackBerry Ltd
200 Bath Road 200 Bath Road
Slough, Berks SL1 3XE Slough, Berks SL1 3XE
UK United Kingdom
Phone: +44 1753 667099 Phone: +44 1753 667099
Email: smccann@rim.com EMail: smccann@blackberry.com
URI: http://www.rim.com URI: http://www.blackberry.com
Gabor Bajko Gabor Bajko
MediaTek
Email: gaborbajko@gmail.com EMail: gabor.bajko@mediatek.com
Hannes Tschofenig Hannes Tschofenig
Hall in Tirol 6060 Hall in Tirol 6060
Austria Austria
Email: Hannes.Tschofenig@gmx.net EMail: Hannes.Tschofenig@gmx.net
URI: http://www.tschofenig.priv.at URI: http://www.tschofenig.priv.at
Dirk Kroeselberg Dirk Kroeselberg
Siemens Siemens Corporate Technology
Otto-Hahn-Ring 6
Munich 81739
Germany Germany
Email: dirk.kroeselberg@siemens.com EMail: dirk.kroeselberg@siemens.com
 End of changes. 138 change blocks. 
353 lines changed or deleted 373 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/