One document matched: draft-schulzrinne-ecrit-psap-callback-03.xml
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY RFC5031 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5031.xml">
<!ENTITY RFC2119 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC5012 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5012.xml">
<!ENTITY I-D.patel-ecrit-sos-parameter PUBLIC "" "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.patel-ecrit-sos-parameter.xml">
<!ENTITY I-D.ietf-ecrit-framework PUBLIC "" "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-ecrit-framework.xml">
<!ENTITY I-D.patel-dispatch-cpc-oli-parameter PUBLIC "" "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.patel-dispatch-cpc-oli-parameter.xml">
<!ENTITY RFC3325 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3325.xml">
<!ENTITY RFC4474 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4474.xml">
<!ENTITY RFC4484 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4484.xml">
<!ENTITY I-D.ietf-sip-saml PUBLIC "" "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-sip-saml.xml">
]>
<rfc category="info" docName="draft-schulzrinne-ecrit-psap-callback-03.txt"
ipr="trust200902">
<?rfc toc="yes" ?>
<?rfc symrefs="yes" ?>
<?rfc sortrefs="yes"?>
<?rfc iprnotified="no" ?>
<?rfc strict="yes" ?>
<front>
<title abbrev="PSAP Callback Marking">Public Safety Answering Point (PSAP)
Callbacks</title>
<author fullname="Henning Schulzrinne" initials="H." surname="Schulzrinne">
<organization>Columbia University</organization>
<address>
<postal>
<street>Department of Computer Science</street>
<street>450 Computer Science Building</street>
<city>New York</city>
<region>NY</region>
<code>10027</code>
<country>US</country>
</postal>
<phone>+1 212 939 7004</phone>
<email>hgs+ecrit@cs.columbia.edu</email>
<uri>http://www.cs.columbia.edu</uri>
</address>
</author>
<author fullname="Hannes Tschofenig" initials="H." surname="Tschofenig">
<organization>Nokia Siemens Networks</organization>
<address>
<postal>
<street>Linnoitustie 6</street>
<city>Espoo</city>
<code>02600</code>
<country>Finland</country>
</postal>
<phone>+358 (50) 4871445</phone>
<email>Hannes.Tschofenig@gmx.net</email>
<uri>http://www.tschofenig.priv.at</uri>
</address>
</author>
<author fullname="Milan Patel" initials="M." surname="Patel">
<organization>InterDigital Communications</organization>
<address>
<postal>
<street></street>
<city></city>
<code></code>
<country></country>
</postal>
<email>Milan.Patel@interdigital.com</email>
</address>
</author>
<date year="2010" />
<workgroup>ECRIT</workgroup>
<abstract>
<t>After an emergency call is completed (either prematurely terminated
by the emergency caller or normally by the call-taker) it is possible
that the call-taker feels the need for further communication or for a
clarification. For example, the call may have been dropped by accident
without the call-taker having sufficient information about the current
situation of a wounded person. A call-taker may trigger a callback
towards the emergency caller using the contact information provided with
the initial emergency call. This callback could, under certain
circumstances, then be treated like any other call and as a consequence,
it may get blocked by authorization policies or may get forwarded to an
answering machine.</t>
<t>The IETF emergency services architecture addresses callbacks in a
limited fashion and thereby covers a couple of scenarios. This document
discusses some shortcomings and raises the question whether additional
solution techniques are needed.</t>
</abstract>
</front>
<middle>
<!-- ****************************************************************************************** -->
<section anchor="intro" title="Introduction">
<t>Summoning police, the fire department or an ambulance in emergencies
is one of the fundamental and most-valued functions of the telephone. As
telephone functionality moves from circuit-switched telephony to
Internet telephony, its users rightfully expect that this core
functionality will continue to work at least as well as it has for the
legacy technology. New devices and services are being made available
that could be used to make a request for help, which are not traditional
telephones, and users are increasingly expecting them to be used to
place emergency calls.</t>
<t>Regulatory requirements demand that the emergency call itself
provides enough information to allow the call-taker to initiate a call
back to the emergency caller in case the call dropped or to interact
with the emergency caller in case of further questions. Such a call,
referred as PSAP callback subsequently in this document, may, however,
be blocked or forwarded to an answering machine as SIP entities (SIP
proxies as well as the SIP UA itself) cannot associate the potential
importantance of the call based on the SIP signaling.</t>
<t><list style="empty">
<t>Note that the authors are, however, not aware of regulatory
requirements for providing preferential treatment of callbacks
initiated by the call-taker at the PSAP towards the emergency
caller.</t>
</list></t>
<t>Section 10 of <xref target="I-D.ietf-ecrit-framework"></xref>
discusses the identifiers required for callbacks, namely AOR URI and a
globally routable URI in a Contact: header. Section 13 of <xref
target="I-D.ietf-ecrit-framework"></xref> provides the following
guidance regarding callback handling:</t>
<t><list style="empty">
<t>A UA may be able to determine a PSAP call back by examining the
domain of incoming calls after placing an emergency call and
comparing that to the domain of the answering PSAP from the
emergency call. Any call from the same domain and directed to the
supplied Contact header or AoR after an emergency call should be
accepted as a call-back from the PSAP if it occurs within a
reasonable time after an emergency call was placed.</t>
</list></t>
<t>This approach mimics a stateful packet filtering firewall and is
indeed helpful in a number of cases. It is also relatively simple to
implement. Below, we discuss a few cases where this approach fails.</t>
<section title="Routing Asymmetry">
<t>In some deployment environments it is common to have incoming and
outgoing SIP messaging to use different routes.</t>
<t><figure anchor="asymmetry" title="Example for Routing Asymmetry">
<artwork>
,-------.
,' `.
,-------. / Emergency \
,' `. | Services |
/ VoIP \ I | Network |
| Provider | n | |
| | t | |
| | e | |
| +-------+ | r | |
+--+---|Inbound|<--+-----m | |
| | |Proxy | | e | +------+ |
| | +-------+ | d | |PSAP | |
| | | i | +--+---+ |
+----+ | | | a-+ | | |
| UA |<---+ | | t | | | |
| |----+ | | e | | | |
+----+ | | | | | | |
| | | P | | | |
| | | r | | | |
| | +--------+ | o | | | |
+--+-->|Outbound|--+---->v | | +--+---+ |
| |Proxy | | i | | +-+ESRP | |
| +--------+ | d | | | +------+ |
| | e || | |
| | r |+-+ |
\ / | |
`. ,' \ /
'-------' `. ,'
'-------'
</artwork>
</figure></t>
</section>
<section title="Multi-Stage Resolution">
<t>Consider the following emergency call routing scenario shown in
<xref target="stages"></xref> where routing towards the PSAP occurs in
several stages. An emergency call uses a SIP UA that does not run LoST
on the end point. Hence, the call is marked with the 'urn:service:sos'
Service URN <xref target="RFC5031"></xref>. The user's VoIP provider
receives the emergency call and determines where to route it. Local
configuration or a LoST lookup might, in our example, reveal that
emergency calls are routed via a dedicated provider FooBar and
targeted to a specific entity, referred as esrp1@foobar.com. FooBar
does not handle emergency calls itself but performs another resolution
step to let calls enter the emergency services network and in this
case another resolution step takes place and esrp-a@esinet.org is
determined as the recipient, pointing to an edge device at the
IP-based emergency services network. Inside the emergency services
there might be more sophisticated routing taking place somewhat
depending on the existing structure of the emergency services
infrastructure.</t>
<t><figure anchor="stages" title="Example for Multi-Stage Resolution">
<artwork>
,-------.
+----+ ,' `.
| UA |--- urn:service:sos / Emergency \
+----+ \ | Services |
\ ,-------. | Network |
,' `. | |
/ VoIP \ | |
( Provider ) | |
\ / | |
`. ,' | |
'---+---' | +------+ |
| | |PSAP | |
esrp1@foobar.com | +--+---+ |
| | | |
| | | |
,---+---. | | |
,' `. | | |
/ Provider \ | | |
+ FooBar ) | | |
\ / | | |
`. ,' | +--+---+ |
'---+---' | +-+ESRP | |
| | | +------+ |
| | | |
+------------+-+ |
esrp-a@esinet.org | |
\ /
`. ,'
'-------'
</artwork>
</figure></t>
</section>
<section title="Call Forwarding">
<t>Imagine the following case where an emergency call enters an
emergency network (state.org) via an ERSP but then gets forwarded to a
different emergency services network (in our example to
police-town.org, fire-town.org or medic-town.org). The same
considerations apply when the the police, fire and ambulance networks
are part of the state.org sub-domains (e.g., police.state.org).</t>
<t><figure anchor="fwd" title="Example for Call Forwarding">
<artwork>
,-------.
,' `.
/ Emergency \
| Services |
| Network |
| (state.org) |
| |
| |
| +------+ |
| |PSAP +--+ |
| +--+---+ | |
| | | |
| | | |
| | | |
| | | |
| | | |
| +--+---+ | |
------------------+---+ESRP | | |
esrp-a@state.org | +------+ | |
| | |
| Call Fwd | |
| +-+-+---+ |
\ | | | /
`. | | | ,'
'-|-|-|-' ,-------.
Police | | | Fire ,' `.
+------------+ | +----+ / Emergency \
,-------. | | | | Services |
,' `. | | | | Network |
/ Emergency \ | Ambulance | | fire-town.org |
| Services | | | | | |
| Network | | +----+ | | +------+ |
|police-town.org| | ,-------. | +----+---+PSAP | |
| | | ,' `. | | +------+ |
| +------+ | | / Emergency \ | | |
| |PSAP +----+--+ | Services | | | ,
| +------+ | | Network | | `~~~~~~~~~~~~~~~
| | |medic-town.org | |
| , | | |
`~~~~~~~~~~~~~~~ | +------+ | |
| |PSAP +----+ +
| +------+ |
| |
| ,
`~~~~~~~~~~~~~~~
</artwork>
</figure></t>
</section>
<section title="PSTN Interworking">
<t>In case an emergency call enters the PSTN, as shown in <xref
target="pstn"></xref>, there is no guarantee that the callback some
time later does leave the same PSTN/VoIP gateway or that the same end
point identifier is used in the forward as well as in the backward
direction making it difficult to reliably detect PSAP callbacks.</t>
<t><figure anchor="pstn" title="Example for PSTN Interworking">
<artwork>
+-----------+
| PSTN |-------------+
| Calltaker | |
| Bob |<--------+ |
+-----------+ | v
-------------------
//// \\\\ +------------+
| | |PSTN / VoIP |
| PSTN |---->|Gateway |
\\\\ //// | |
------------------- +----+-------+
^ |
| |
+-------------+ | +--------+
| | | |VoIP |
| PSTN / VoIP | +->|Service |
| Gateway | |Provider|
| |<------Invite----| Y |
+-------------+ +--------+
| ^
| |
Invite Invite
| |
V |
+-------+
| SIP |
| UA |
| Alice |
+-------+
</artwork>
</figure></t>
</section>
<section title="Network-based Service URN Resolution">
<t>The mechanism described in <xref
target="I-D.ietf-ecrit-framework"></xref> assumes that all devices at
the call signaling path store information about the domain of the
communication recipient. This is necessary to match the stored domain
name against the domain of the sender when an incoming call
arrives.</t>
<t>However, the IETF emergency services architecture also considers
those cases where the resolution from the Service URN to the PSAP URI
happens somewhere in the network rather than immediately at the end
point itself. In such a case, the end device is therefore not able to
match the domain of the sender with any information from the outgoing
emergency call.</t>
<t><xref target="late-binding"></xref> shows this message exchange
graphically.</t>
<t><figure anchor="late-binding"
title="Example for Network-based Service URN Resolution">
<artwork>
,-------.
,' `.
/ Emergency \
| Services |
| Network |
|police-town.org|
| |
| +------+ | Invite to police.example.com
| |PSAP +<---+------------------------+
| | +----+------------------+ ^
| +------+ |Invite from | |
| ,police.example.com| |
`~~~~~~~~~~~~~~~ v |
+--------+ ++-----+-+
| | query |VoIP |
| LoST |<-----------------------|Service |
| Server | police.example.com |Provider|
| |----------------------->| |
+--------+ +--------+
| ^
Invite| | Invite
from| | to
police.example.com| | urn:service:sos
V |
+-------+
| SIP |
| UA |
| Alice |
+-------+
</artwork>
</figure></t>
</section>
</section>
<!-- ****************************************************************************************** -->
<section anchor="terminology" title="Terminology">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref
target="RFC2119"></xref>.</t>
<t>Emergency services related terminology is borrowed from <xref
target="RFC5012"></xref>.</t>
</section>
<!-- ****************************************************************************************** -->
<section anchor="design" title="Design Approaches">
<t>The starting point of the investigations is the currently provided
functionality in Section 13 of <xref
target="I-D.ietf-ecrit-framework"></xref>. It focuses on identifying a
response to a previously made emergency call. As described in the
introduction this approach is quite coarse grained since any call from
the PSAP's domain is given preferential treatment. This approach is,
however, likely going to be practical. Still there are a couple of
limitations, as discussed in this document.</t>
<t>To expand on the initially provided solution the following
description starts with attempt to identify the caller as a PSAP. There
are two approaches for accomplishing this functionality.</t>
<t><figure anchor="identity-authz" title="Identity-based Authorization">
<artwork>
+----------+
| List of |+
| valid ||
| PSAP ids ||
+----------+|
+----------+
*
* whitelist
*
V
Incoming +----------+ Normal
SIP Msg | SIP |+ Treatment
-------------->| Entity ||=============>
+ Identity | ||(if not in whitelist)
+----------+|
+----------+
||
||
|| Preferential
|| Treatment
++=============>
(in whitelist)
</artwork>
</figure></t>
<t>In <xref target="identity-authz"></xref> an interaction is presented
that allows a SIP entity to make a policy decision whether to bypass
installed authorization policies and thereby providing preferential
treatment. To make this decision the sender's identity is compared with
a whitelist of valid PSAPs. The identity assurances in SIP can come in
different forms, such as SIP Identity <xref target="RFC4474"></xref> or
with P-Asserted-Identity <xref target="RFC3325"></xref>. The former
technique relies on a cryptographic assurance and the latter on a chain
of trust.</t>
<t>The establishment of a whitelist with PSAP identities is
operationally complex and does not easily scale world wide. When there
is a local relationship between the VSP/ASP and the PSAP then populating
the whitelist is far simpler.</t>
<t>An alternative approach to an identity based authorization model is
outlined in <xref target="trait"></xref>. In fact, RFC 4484 <xref
target="RFC4484"></xref> already illustrated the basic requirements for
this technique.</t>
<t><figure anchor="trait" title="Trait-based Authorization">
<artwork>
+----------+
| List of |+
| trust ||
| anchor ||
+----------+|
+----------+
*
*
*
V
Incoming +----------+ Normal
SIP Msg | SIP |+ Treatment
-------------->| Entity ||=============>
+ trait | ||(no indication
+----------+| of PSAP)
+----------+
||
||
|| Preferential
|| Treatment
++=============>
(indicated as
PSAP)
</artwork>
</figure></t>
<t>In a trait-based authorization scenario an incoming SIP message
contains a form of trait, i.e. some form of assertion. The assertion
contains an indication that the sending party has the role of a PSAP (or
similar emergency services entity). The assertion is either
cryptographically protected to enable end-to-end verification or an
chain of trust security model has to be assumed. In <xref
target="trait"></xref> we assume an end-to-end security model where
trust anchors are provisioned to ensure the ability for a SIP entity to
verify the received assertion.</t>
<t>From a solution point of view various approaches are feasible, such
as SIP SAML (see <xref target="I-D.ietf-sip-saml"></xref>) or URI
Parameters for indicating the Calling Party's Category and Originating
Line Information (see <xref
target="I-D.patel-dispatch-cpc-oli-parameter"></xref>).</t>
<t>Still, a drawback of the outlined approaches above is that it does
not allow any mechanism to distinguish different types of calls
initiated by PSAPs. Not every call from a PSAP is indeed a response to
an emergency call.</t>
<t>This leads us to another mechanism on top of the previously presented
onces, namely the indication is that the communication attempt is of
emergency nature. As such, it is a slight modification of the one
presented previously. In addition to the indication that the calling
party is a PSAP there is an expression that the specific call is of
emergency services nature. This indication cannot be verified by
external parties, similarly to the emergency call marking for a
citizen-to-authority emergency call using a Service URN, because it
heavily depends on the intention of the call taker itself.</t>
</section>
<!-- ****************************************************************************************** -->
<section title="Topics for Investigation">
<t>When you make an IP-based emergency call to an IP-based PSAP then the
PSAP will get two pieces of identity information about the emergency
caller: <list style="symbols">
<t>Contact-URI: Information that uniquely identifies the device the
call came from.</t>
<t>Address of Record: Long-term contact information</t>
</list></t>
<t>Should the callback functionality be tied to a previous emergency
call setup and as such enabled only for a specific time? For example,
preferential treatment for callbacks could be provided only within one
hour after the initial emergency call was made.</t>
<t>Is it expected that the callback reaches primarily the device that
initiated the emergency call? In some cases the device that was used to
originally initiate the call does not respond anymore to a callback
(e.g. imagine a fixed line phone that was used to report a fire in a
house and is out of order soon afterwards). Since the initial emergency
call provided a second contact mechanism (namely the address of record)
it could be used by the call taker as well. Should this communication
also experience the same type of override privilege as the initially
transmitted callback to the emergency caller's device?</t>
<t>Should any restrictions be made regarding the media being used for
callback? Is it acceptable to return an instant message when the caller
started the conversation with audio?</t>
</section>
<!-- ****************************************************************************************** -->
<section title="Security Considerations">
<t>This document provides discussions problems of PSAP callbacks and
explores the design space.</t>
<t>An important aspect from a security point of view is the relationship
between the emergency services network and the VSP (assuming that the
emergency call travels via the VSP and not directly between the SIP UA
and the PSAP). If there is some form of relationship between the
emergency services operator and the VSP then the identification of a
PSAP call back is less problematic than in the case where the two
entities have not entered in some form of relationship that would allow
the VSP to verify whether the marked callback message indeed came from a
legitimate source.</t>
<t>The main attack surface can be seen in the usage of PSAP callback
marking to bypass blacklists, ignore call forwarding procedures and
similar features to interact with users and to get their attention. For
example, using PSAP callback marking devices would be able to recognize
these types of incoming messages leading to the device overriding user
interface configurations, such as vibrate-only mode. As such, the
requirement is to ensure that the mechanisms described in this document
can not be used for malicious purposes, including SPIT.</t>
<t>It is important that PSAP callback marked SIP messages, which cannot
be verified adequately, are treated like a call that does not have any
marking attached instead of failing the call processing procedure.</t>
</section>
<!-- ****************************************************************************************** -->
<section title="Acknowledgements">
<t>We would like to thank members from the ECRIT working group, in
particular Brian Rosen, for their discussions around PSAP callbacks. The
working group discussed the topic of callbacks at their virtual interim
meeting in February 2010 and the following persons provided valuable
input: John Elwell, Bernard Aboba, Cullen Jennings, Keith Drage, Marc
Linsner, Roger Marshall, Dan Romascanu, Geoff Thompson, Milan Patel,
Janet Gunn.</t>
</section>
<!-- ****************************************************************************************** -->
</middle>
<back>
<references title="Informative References">
&RFC2119;
</references>
<references title="Informative References">
&I-D.patel-ecrit-sos-parameter;
&I-D.ietf-ecrit-framework;
&RFC5031;
&RFC5012;
&I-D.patel-dispatch-cpc-oli-parameter;
&RFC3325;
&RFC4474;
&RFC4484;
&I-D.ietf-sip-saml;
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 00:51:30 |