ECRIT | H. Schulzrinne |
Internet-Draft | Columbia University |
Intended status: Standards Track | S. McCann |
Expires: January 5, 2015 | Research in Motion UK Ltd |
G. Bajko | |
Nokia | |
H. Tschofenig | |
D. Kroeselberg | |
Siemens | |
July 4, 2014 |
Extensions to the Emergency Services Architecture for dealing with Unauthenticated and Unauthorized Devices
draft-ietf-ecrit-unauthenticated-access-09.txt
This document provides a problem statement, introduces terminology and describes an extension for the base IETF emergency services architecture to address cases where an emergency caller is not authenticated, has no identifiable service provider, or has no remaining credit with which to pay for access to the network.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 5, 2015.
Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
Summoning police, the fire department or an ambulance in emergencies is one of the fundamental and most-valued functions of the telephone. As telephone functionality moves from circuit-switched telephony to Internet telephony, its users rightfully expect that this core functionality will continue to work at least as well as it has for the older technology. New devices and services are being made available that could be used to make a request for help, those devices are not traditional telephones, and users are increasingly expecting them to be used to place emergency calls.
Roughly speaking, the IETF emergency services architecture (see [RFC6881] and [RFC6443]) divides responsibility for handling emergency calls among the access network (ISP); the application service provider (ASP), which may be a VoIP service provider (VSP); and the provider of emergency signaling services, the emergency service network (ESN). The access network may provide location information to end systems, but does not have to provide any ASP signaling functionality. The emergency caller can reach the ESN either directly or through the ASP's outbound proxy. Any of the three parties can provide the mapping from location to PSAP URI by offering LoST [RFC5222] services.
In general, a set of automated configuration mechanisms allows a device to function in a variety of architectures, without the user being aware of the details on who provides location, mapping services or call routing services. However, if emergency calling is to be supported when the calling device lacks access network authorization or does not have an ASP, one or more of the providers may need to provide additional services and functions.
In all cases, the end device has to be able to perform a LoST lookup and otherwise conduct the emergency call in the same manner as when the three exceptional conditions discussed below do not apply.
We distinguish among three conditions:
These three cases are not mutually exclusive. A caller in need of help may, for example, be in a NAA and NASP situation, as explained in more detail in Figure 1. Depending on local policy and regulations, it may not be possible to place emergency calls in the NAA case. Unless local regulations require user identification, it should always be possible to place calls in the NASP case, with minimal impact on the ISP. Unless the ESN requires that all calls traverse a known set of VSPs, it is technically possible to let a caller place an emergency call in the ZBP case. We discuss each case in more details in Section 3.
Note: At the time of writing there is no regulation in place that demands the functionality described in this memo. SDOs have started their work on this subject in a proactive fashion in the anticipation that national regulation will demand it for a subset of network environments.
As mentioned in the abstract some of the functionality provided in this document is already available in the PSTN. Consequently, there is real-world experience available and not all of it is positive. For example, the functionality of SIM-less calls in today's cellular system has lead to a fair amount of hoax or test calls in certain countries. This causes overload situations at PSAPs, which is considered harmful to the overall availability and reliability of emergency services.
In this document, the key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as described in RFC 2119 [RFC2119].
This document reuses terminology from [RFC5687] and [RFC5012], namely Internet Access Provider (IAP), Internet Service Provider (ISP), Application Service Provider (ASP), Voice Service Provider (VSP), Emergency Service Routing Proxy (ESRP), Public Safety Answering Point (PSAP), Location Configuration Server (LCS), (emergency) service dial string, and (emergency) service identifier.
On a very high-level, the steps to be performed by an end host that is not attached to the network and the user starting to make an emergency call are the following:
Figure 1 compiles the basic logic taking place during network entry for requesting an emergency service and shows the interrelation between the three conditions described in the above section.
+-----Y |Start| `...../ | | Are credentials | for network attachment | available? | NO v YES +----------------------------+ | | | | V v .............. ................ | Idle: Wait | |Execute | | for ES Call| |LLA Procedures| | Initiation | "--------------' "------------' | Is | +---------->O emergency | | | Is ASP service | NO +-----Y | | configured? network +--->| End | | +---------------+ attachment| `...../ | YES | | NO possible? | | | | v | v v +------------+ | +------------+ +------------+ | Execute | | | Execute | | Execute | | NAA |--------+ | Phone BCP | | NASP | | Procedures | | Procedures | | Procedures | +------------+ +------------+ +------------+ Authorization for| | making an | | emergency call | | with the ASP/VSP?| | +--------------+ v | NO | YES +-----Y | | | Done| v v `...../ +------------+ +------------+ | Execute | | Execute | | ZBP | | Phone BCP | | Procedures | | Procedures | +------------+ +------------+ | | | | v v +-----Y +-----Y | Done| | Done| `...../ `...../ Abbreviations: LLA: Link Layer Attachment ES: Emergency Services
Figure 1: Flow Diagram: NAA, ZBP, and NSAP Scenarios.
The diagrams below highlight the most important steps for the three cases.
+-----Y |Start| `...../ | | No | credentials | for network access | available v .............. | Idle: Wait | | for ES Call| | Initiation | "------------' | | | v -- // -- / -- // Is -- / emergency -- | service | NO +--------+ | network |------>| Call | | attachment | Failed | \ possible? / `......./ \ // \\ // \ // \--/ | | YES | | v +------------+ | Execute | | NAA | | Procedures | +------------+ | | Network | attachment | in progress v /--\ Continue | | with | | application \--/ layer interaction
Figure 2: Flow Diagram: NAA Scenario.
+-----+ +------------|Start|-----------------+ | `...../ | v v +------------+ +----------------+ | NAA | | Regular | | Procedures | | Network Access | +------------+ | Procedures | | +----------------+ | | | | ----------------o--------------------+ | | | | Network Attachment Completed | | | | v +------------+ +---------+ | ASP | NO | See | | Configured?|----->| main | +------------+ | diagram | | `......../ | | YES | v //---- / -- // -- / - +---------+ | Authorization| YES | See | | for making |------>| main | | ES call | | diagram | \ with / `......../ \ VSP/ASP? // \\ // \ // \--/ | | NO | | v +------------+ | Execute | | ZBP | | Procedures | +------------+ | | Call | in progress | v +--------+ | Call | Success| `......./
Figure 3: Flow Diagram: ZBP Scenario.
+-----+ +------------|Start|-----------------+ | `...../ | v v +------------+ +----------------+ | NAA | | Regular | | Procedures | | Network Access | +------------+ | Procedures | | +----------------+ | | | | ----------------o--------------------+ | | | | Network Attachment Completed | | | | v +------------+ +---------+ | ASP | YES | See | | Configured?|----->| main | +------------+ | diagram | | `......../ | | NO | v +------------+ | Execute | | NASP | | Procedures | +------------+ | | Call | in progress | v +--------+ | Call | Success| `......./
Figure 4: Flow Diagram: NASP Scenario.
The "No Access Authentication (NAA)" procedures are described in Section 6. The "Zero-balance ASP (ZBP)" procedures are described in Section 4. The "No ASP (NASP)" procedures are described in Section 5. The Phone BCP procedures are described in [RFC6881]. The "Link Layer Attachment (LLA)" procedures are not described in this document since they are specific to the link layer technology in use.
ZBP includes all cases where a subscriber is known to an ASP, but lacks the necessary authorization to access regular ASP services. Example ZBP cases include empty prepaid accounts, barred accounts, roaming and mobility restrictions, or any other conditions set by ASP policy.
Local regulation might demand that emergency calls cannot proceed without successful service authorization. In regulatory regimes, however, it may be possible to allow emergency calls to continue despite authorization failures. To distinguish an emergency call from a regular call an ASP can identify emergency sessions by inspecting the service URN [RFC5031] used in call setup. The ZBP case therefore only affects the ASP.
Permitting a call despite authorization failures could present an opportunity for abuse. The ASP may choose to verify the destination of the emergency calls and to only permit calls to certain, pre-configured entities (e.g., to local PSAPs). Section 7 discusses this topic in more detail.
An ASP without a regulatory requirement to authorize emergency calls can deny emergency call setup. Where an ASP does not authorize an emergency call, the caller may be able to fall back to NASP procedures.
To start the description we consider the sequence of steps that are executed in an emergency call based on Figure 5.
For editorial reasons the end-to-end SIP and media exchange between the PSAP and SIP UA are not shown in Figure 5.
+-------+ | PSAP | | | +-------+ ^ | (8) | +----------+(7) +----------+ | LoST |<-->| ESRP | | Server | | | +----------+ +----------+ ^ ^ +----------------+----------------|--------------+ | ISP | | | |+----------+ | | +----------+| || LCS-ISP | (3)| | | DHCP || || |<-+ | | | Server || |+----------+ | | | +----------+| +-------^------+-+----------------|-----------^--+ +-------|------+-+----------------|-----------|--+ | IAP | (4) | |(5) | | | | V | | | | | |+----------+ | | | | | || LCS-IAP | | | +--------+ | | | || | | | | Link | |(6) | | |+----------+ | | | Layer | | | | | | | | Device | | (2)| | | | | +--------+ | | | | | | ^ | | | | | | | | | | +--------------+-|-------|--------|-----------|--+ | | | | | | | (1)| | | | | | | | | | | +----+ | | | v | | | | +----------+ | | +->| End |<-------------+ +___>| Host | +----------+
Figure 5: Architectural Overview
Note: Figure 5 does not indicate who operates the ESRP and the LoST server. Various deployment options exist.
The end host MUST discover a LoST server [RFC5222] using DHCP [RFC5223].
The end host MUST discover the ESRP using the LoST protocol [RFC5222].
The end host MUST support location acquisition and the LCPs described in Section 6.5 of [RFC6881]. The description in Section 6.5 and 6.6 of [RFC6881] regarding the interaction between the device and the LIS applies to this document.
The SIP UA in the end host MUST attach available location information in a PIDF-LO [RFC4119] when making an emergency call. When constructing the PIDF-LO the guidelines in PIDF-LO profile [RFC5491] MUST be followed. For civic location information the format defined in [RFC5139] MUST be supported.
To determine which calls are emergency calls, some entity needs to map a user entered dialstring into this URN scheme. A user may "dial" 1-1-2, 9-1-1, etc., but the call would be sent to urn:service:sos. This mapping SHOULD be performed at the endpoint device.
End hosts MUST use the Service URN mechanism [RFC5031] to mark calls as emergency calls for their home emergency dial string.
SIP signaling capabilities [RFC3261] are REQUIRED for end hosts.
The initial SIP signaling method is an INVITE. The SIP INVITE request MUST be constructed according to the requirements in Section 9.2 [RFC6881].
Regarding callback behavior SIP UAs SHOULD place a globally routable URI in a Contact: header.
End points MUST comply with the media requirements for end points placing an emergency call found in Section 14 of [RFC6881].
The description in Section 15 of [RFC6881] is fully applicable to this document.
An ISP MUST provision a DHCP server with information about LoST servers [RFC5223]. An ISP operator may choose to deploy a LoST server or to outsource it to other parties.
The ISP is responsible for location determination and exposes this information to the end points via location configuration protocols. The considerations described in [RFC6444] are applicable to this document.
The ISP MUST support one of the LCPs described in Section 6.5 of [RFC6881]. The description in Section 6.5 and 6.6 of [RFC6881] regarding the interaction between the end device and the LIS applies to this document.
The interaction between the LIS at the ISP and the IAP is often priorietary but the description in [I-D.winterbottom-geopriv-lis2lis-req] may be relevant to the reader.
The ESRP continues to route the emergency call to the PSAP responsible for the physical location of the end host. This may require further interactions with LoST servers but depends on the specific deployment.
The ESRP MUST understand the Service URN mechanism [RFC5031] (i.e., the 'urn:service:sos' tree).
SIP signaling capabilities [RFC3261] are REQUIRED for the ESRP. The ESRP MUST process the messages sent by the client, according to Section 5.1.5.
Furthermore, if a PSAP wants to support NASP calls, then it MUST NOT restrict incoming calls to a particular set of ASPs.
Some networks have added support for unauthenticated emergency access, some other type of networks advertise these capabilities using layer beacons. The end host learns about these unauthenticated emergency services capabilities either from the link layer type or from advertisement.
It is important to highlight that the NAA case is inherently a layer 2 problem, and the general form of the solution is to provide an "emergency only" access type, with appropriate limits/monitoring to prevent abuse. The described mechanisms are informative in nature since the relationship to the IETF emergency services architecture is only indirect, namely via some protocols developed within the IETF (e.g., EAP and EAP methods) that require extensions to support this functionality.
This section discusses different methods to indicate an emergency service request as part of network attachment. It provides some general considerations and recommendations that are not specific to the access technology.
To perform network attachment and get access to the resources provided by an IAP/ISP, the end host uses access technology specific network attachment procedures, including for example network detection and selection, authentication, and authorization. For initial network attachment of an emergency service requester, the method of how the emergency indication is given to the IAP/ISP is specific to the access technology. However, a number of general approaches can be identified:
In general, link layer emergency indications provide good integration into the actual network access procedure regarding the enabling of means to recognize and prioritize an emergency service request from an end host at a very early stage of the network attachment procedure. However, support in end hosts for such methods cannot be considered to be commonly available.
No general recommendations are given in the scope of this memo due to the following reasons:
For network attachment in NAA cases, it may make sense to secure the link-layer connection between the device and the IAP/ISP. This especially holds for wireless access with examples being IEEE 802.11 or IEEE 802.16 based access. The latter even mandates secured communication across the wireless link for all IAP/ISP networks based on [nwgstg3].
Therefore, for network attachment that is by default based on EAP authentication it is desirable also for NAA network attachment to use a key-generating EAP method (that provides an MSK key to the authenticator to bootstrap further key derivation for protecting the wireless link).
The following approaches to match the above can be identified:
The security threats discussed in [RFC5069] are applicable to this document.
There are a couple of new vulnerabilities raised with unauthenticated emergency services in NASP/NAA cases since the PSAP operator will typically not possess any identity information about the emergency caller via the signaling path itself. In countries where this functionality is used for GSM networks today this has lead to a significant amount of misuse.
In the context of NAA, the IAP and the ISP will probably want to make sure that the claimed emergency caller indeed performs an emergency call rather than using the network for other purposes, and thereby acting fraudulent by skipping any authentication, authorization and accounting procedures. By restricting access of the unauthenticated emergency caller to the LoST server and the PSAP URI, traffic can be restricted only to emergency calls. This can be accomplished with traffic separation. The details, however, e.g. for using filtering, depend on the deployed ISP architecture and are beyond the scope of this document.
We only illustrate a possible model. If the ISP runs its own (caching) LoST server, the ISP would maintain an access control list populated with IP-address information obtained from LoST responses (in the mappings). These URIs would either be URIs for contacting further LoST servers or PSAP URIs. It may be necessary to translate domain names returned in LoST responses to IP addresses. Since the media destination addresses are not predictable, the ISP also has to provide a SIP outbound proxy so that it can determine the media addresses and add those to the filter list.
For the ZBP case the additional aspect of fraud has to be considered. Unless the emergency call traverses a PSTN gateway or the ASP charges for IP-to-IP calls, there is little potential for fraud. If the ASP also operates the LoST server, the outbound proxy MAY restrict outbound calls to the SIP URIs returned by the LoST server. It is NOT RECOMMENDED to rely on a fixed list of SIP URIs, as that list may change.
RFC 6280 [RFC6280] discusses security vulnerabilities that are caused by an adversary faking location information and thereby lying about the actual location of the emergency caller. These threats may be less problematic in the context of unauthenticated emergency when location information can be verified by the ISP to fall within a specific geographical area.
Parts of this document are derived from [RFC6881]. Participants of the 2nd and 3rd SDO Emergency Services Workshop provided helpful input.
We would like to thank Richard Barnes, Brian Rosen, James Polk, Marc Linsner, and Martin Thomson for their feedback at the IETF#80 ECRIT meeting.
Furthermore, we would like to thank Martin Thomson and Bernard Aboba for their detailed document review in preparation of the 81st IETF meeting. Alexey Melnikov was the General Area (Gen-Art) reviewer. A number of changes to the document had been made in response to the AD review by Richard Barnes.
This document does not require actions by IANA.