One document matched: draft-schulzrinne-ecrit-unauthenticated-access-08.xml
<?xml version="1.0"?>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc toc="yes" ?>
<?rfc symrefs="yes" ?>
<?rfc sortrefs="no"?>
<?rfc iprnotified="no" ?>
<?rfc strict="no" ?>
<?rfc compact="yes" ?>
<?rfc subcompact="yes" ?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY I-D.ietf-geopriv-http-location-delivery PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-geopriv-http-location-delivery.xml'>
<!ENTITY I-D.ietf-ecrit-lost PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-ecrit-lost.xml'>
<!ENTITY I-D.ietf-geopriv-l7-lcp-ps PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-geopriv-l7-lcp-ps.xml'>
<!ENTITY I-D.ietf-sip-location-conveyance PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-sip-location-conveyance.xml'>
<!ENTITY I-D.ietf-ecrit-framework PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-ecrit-framework.xml'>
<!ENTITY RFC5031 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5031.xml'>
<!ENTITY RFC4119 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.4119.xml'>
<!ENTITY I-D.ietf-geopriv-pdif-lo-profile PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-geopriv-pdif-lo-profile.xml'>
<!ENTITY RFC5139 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5139.xml'>
<!ENTITY RFC5012 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5012.xml'>
<!ENTITY I-D.ietf-ecrit-phonebcp PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-ecrit-phonebcp.xml'>
<!ENTITY RFC5069 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5069.xml'>
<!ENTITY RFC3361 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3361.xml'>
<!ENTITY RFC3319 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3319.xml'>
<!ENTITY RFC3261 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.3261.xml'>
<!ENTITY I-D.ietf-geopriv-held-identity-extensions PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-geopriv-held-identity-extensions.xml'>
<!ENTITY I-D.winterbottom-geopriv-lis2lis-req PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.winterbottom-geopriv-lis2lis-req.xml'>
<!ENTITY RFC2119 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml'>
<!ENTITY I-D.ietf-geopriv-arch PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-geopriv-arch.xml'>
<!ENTITY RFC5222 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5222.xml'>
<!ENTITY RFC5223 PUBLIC '' 'http://xml.resource.org/public/rfc/bibxml/reference.RFC.5223.xml'>
]>
<rfc category="std" ipr="trust200902" docName="draft-schulzrinne-ecrit-unauthenticated-access-08.txt">
<front>
<title abbrev="Unauthenticated Emergency Service">Extensions to the Emergency Services
Architecture for dealing with Unauthenticated and Unauthorized Devices</title>
<author initials="H." surname="Schulzrinne" fullname="Henning Schulzrinne">
<organization>Columbia University</organization>
<address>
<postal>
<street>Department of Computer Science</street>
<street>450 Computer Science Building</street>
<city>New York</city>
<region>NY</region>
<code>10027</code>
<country>US</country>
</postal>
<phone>+1 212 939 7004</phone>
<email>hgs+ecrit@cs.columbia.edu</email>
<uri>http://www.cs.columbia.edu</uri>
</address>
</author>
<author fullname="Stephen McCann" initials="S." surname="McCann">
<organization>Research in Motion UK Ltd</organization>
<address>
<postal>
<street>200 Bath Road</street>
<city>Slough</city>
<region>Berks</region>
<code>SL1 3XE</code>
<country>UK</country>
</postal>
<phone>+44 1753 667099</phone>
<email>smccann@rim.com</email>
<uri>http://www.rim.com</uri>
</address>
</author>
<author fullname="Gabor Bajko" initials="G." surname="Bajko">
<organization>Nokia</organization>
<address>
<email>Gabor.Bajko@nokia.com</email>
</address>
</author>
<author initials="H." surname="Tschofenig" fullname="Hannes Tschofenig">
<organization>Nokia Siemens Networks</organization>
<address>
<postal>
<street>Linnoitustie 6</street>
<city>Espoo</city>
<code>02600</code>
<country>Finland</country>
</postal>
<phone>+358 (50) 4871445</phone>
<email>Hannes.Tschofenig@gmx.net</email>
<uri>http://www.tschofenig.priv.at</uri>
</address>
</author>
<author initials="D." surname="Kroeselberg" fullname="Dirk Kroeselberg">
<organization>Nokia Siemens Networks</organization>
<address>
<postal>
<street>St.-Martin-Str. 76</street>
<city>Munich</city>
<code>81541</code>
<country>Germany</country>
</postal>
<phone>+49 (89) 515933019</phone>
<email>Dirk.Kroeselberg@nsn.com</email>
</address>
</author>
<date year="2010"/>
<area>Real-time Applications and Infrastructure</area>
<workgroup>ECRIT</workgroup>
<keyword>Internet-Draft</keyword>
<abstract>
<t>The IETF emergency services architecture assumes that the calling device has acquired
rights to use the access network or that no authentication is required for the access
network, such as for public wireless access points. Subsequent protocol interactions,
such as obtaining location information, learning the address of the Public Safety
Answering Point (PSAP) and the emergency call itself are largely decoupled from the
underlying network access procedures.</t>
<t>In some cases, the device does not have credentials for network access, does not have a
VoIP provider or application service provider (ASP), or the credentials have become
invalid, e.g., because the user has exhausted their prepaid balance or the account has
expired. </t>
<t>This document provides a problem statement, introduces terminology and describes an
extension for the base IETF emergency services architecture to address these scenarios.
</t>
</abstract>
</front>
<middle>
<!-- ////////////////////////////////////////////////////////////////////////////////// -->
<section anchor="introduction" title="Introduction">
<t> Summoning police, the fire department or an ambulance in emergencies is one of the
fundamental and most-valued functions of the telephone. As telephone functionality moves
from circuit-switched telephony to Internet telephony, its users rightfully expect that
this core functionality will continue to work at least as well as it has for the older
technology. New devices and services are being made available that could be used to make
a request for help, which are not traditional telephones, and users are increasingly
expecting them to be used to place emergency calls. </t>
<t> Roughly speaking, the IETF emergency services architecture (see <xref
target="I-D.ietf-ecrit-phonebcp"/> and <xref target="I-D.ietf-ecrit-framework"/>)
divides responsibility for handling emergency calls between the access network (ISP),
the application service provider (ASP) that may be a VoIP service provider and the
provider of emergency signaling services, the emergency service network (ESN). The
access network may provide location information to end systems, but does not have to
provide any ASP signaling functionality. The emergency caller can reach the ESN either
directly or through the ASP's outbound proxy. Any of the three parties can provide the
mapping from location to PSAP URI by offering LoST <xref target="RFC5222"/> services.</t>
<t> In general, a set of automated configuration mechanisms allows a device to function in
a variety of architectures, without the user being aware of the details on who provides
location, mapping services or call routing services. However, if emergency calling is to
be supported when the calling device lacks access network authorization or does not have
an ASP, one or more of the providers may need to provide additional services and
functions. </t>
<t> In all cases, the end device MUST be able to perform a LoST lookup once it has established
IP connectivity, and otherwise conduct the emergency call in the same manner as when the
three exceptional conditions discussed below do not apply.</t>
<t> We distinguish between three conditions: </t>
<t>
<list style="hanging">
<t hangText="No access authorization (NAA):"> The current access network requires
access authorization and the caller does not have valid user credentials. (This
includes the case where the access network allows pay-per-use, as is common for
wireless hotspots, but there is insufficient time to pay for access.) <vspace
blankLines="1"/></t>
<t hangText="
No ASP (NASP):"> The caller does not have an
ASP at the time of the call. <vspace blankLines="1"/></t>
<t hangText="Zero-balance ASP (ZBP):"> The caller has valid credentials
with an ASP, but is not allowed to access services like placing calls in case
of a VoIP service, e.g., because the user has a zero balance in a prepaid account.<vspace blankLines="1"/>
</t>
</list>
</t>
<t>A user may well suffer from both NAA and NASP or ZBP at the same time. Depending on local
policy and regulations, it may not be possible to place emergency calls in the NAA case.
Unless local regulations require user identification, it should always be possible to
place calls in the NASP case, with minimal impact on the ISP. Unless the ESN requires
that all calls traverse a known set of VSPs, a caller should be able to place an
emergency call in the ZBP case. We discuss each case in separate sections below. </t>
<section title="No Access Authorization (NAA)">
<t> In the NAA (No Access Authorization) case, the emergency caller does not posses
valid credentials for the access network. If local regulations or policy allows or
requires support for emergency calls in NAA, the access network may or needs to
cooperate in providing emergency calling services. Support for NAA emergency calls
is subject to the local policy of the ISP. Such policy may vary substantially between
ISPs and typically depends on external factors that are not under the ISP control.
Hence, no global mandates for supporting emergency calls in relation to NAA can be made.
However, it makes a lot of sense to offer appropriate building blocks that enable ISPs
to flexibly react on the local environment. Generally, the ISP will want to ensure that
devices do not pretend to place emergency calls, but then abuse the access for
obtaining more general services fraudulently. </t>
<t> In particular, the ISP MUST allow emergency callers to acquire an IP address and to
reach a LoST server, either provided by the ISP or some third party. It SHOULD also
provide location information via one of the mechanisms specified in <xref
target="I-D.ietf-ecrit-phonebcp"/> without requiring authorization unless it can
safely assume that all nodes in the access network can determine their own location,
e.g., via GPS.</t>
<t> The details of how filtering is performed depends on the details of the ISP
architecture and are beyond the scope of this document. We illustrate a possible
model. If the ISP runs its own LoST server, it would maintain an access control list
including all IP addresses contained in responses returned by the LoST server, as
well as the LoST server itself. (It may need to translate the domain names returned
to IP addresses and hope that the resolution captures all possible DNS responses.)
Since the media destination addresses are not predictable, the ISP also has to
provide a SIP outbound proxy so that it can determine the media addresses and add
those to the filter list. </t>
</section>
<section title="No ASP (NASP)">
<t> In the second case, the emergency caller has no current ASP.
This case poses no particular difficulties unless it is assumed that only ASPs
provide LoST server or that ESNs only accept calls that reach it through a set of
known ASPs. However, since the calling device cannot obtain configuration information
from its ASP, the ISP MUST provide the address of a LoST server via DHCP <xref
target="RFC5223"/> if this model is to be supported. The LoST server may be
operated either by the ISP or a third party. </t>
Furthermore, ASPs may support emergency callers that cannot present
valid credentials (e.g. because they do not have a subscription with the specific
ASP). For this, a fundamental prerequisite is that the client used by
the emergency caller is compatible with the ASP infrastructure.
</section>
<section title="Zero-Balance Application Service Provider (ZBP)">
<t> In the case of zero-balance ASP, the ASP can authenticate the
caller, but the caller is not authorized to use ASP services, e.g., because
the contract has expired or the prepaid account for the customer has been depleted.
Naturally, an ASP can simply disallow access by such customers, so that all such
customers find themselves in the NASP situation described above. If ASPs desire or are
required by regulation to provide emergency calling services to such customers, they
need to provide LoST services to such customers and may need to provide outbound SIP
proxy services. As usual, the calling device looks up the LoST server via SIP
configuration. </t>
<t> Unless the emergency call traverses a PSTN gateway or the ASP charges for IP-to-IP
calls, there is little potential for fraud. If the ASP also operates the LoST server,
the outbound proxy MAY restrict outbound calls to the SIP URIs returned by the LoST
server. It is NOT RECOMMENDED to rely on a fixed list of SIP URIs, as that list may
change. </t>
</section>
</section>
<!-- ////////////////////////////////////////////////////////////////////////////////// -->
<section title="A Warning Note">
<t>At the time of writing there is no regulation in place that demands the functionality
described in this memo. SDOs have started their work on this subject in a proactive
fashion in the anticipation that national regulation will demand it for a subset of
network environments.</t>
<t>There are also indications that the functionality of unauthenticated emergency calls
(called SIM-less calls) in today's cellular system in certain countries leads to a fair
amount of hoax or test calls. This causes overload situations at PSAPs which is
considered harmful to the overall availability and reliability of emergency services.</t>
<t>
<list style="empty">
<t>As an example, Federal Office of Communications (OFCOM, Switzerland) provided
statistics about emergency (112) calls in Switzerland from Jan. 1997 to Nov. 2001.
Switzerland did not offer SIM-less emergency calls except for almost a month in
July 2000 where a significant increase in hoax and test calls was reported. As a
consequence, the functionality was disabled again. More details can be found in
the panel presentations of the 3rd SDO Emergency Services Workshop <xref
target="esw07"/>.</t>
</list>
</t>
</section>
<!-- ////////////////////////////////////////////////////////////////////////////////// -->
<section anchor="terminology" title="Terminology">
<t>In this document, the key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as
described in RFC 2119 <xref target="RFC2119"/>.</t>
<!-- <t>This document introduces the following new terms: </t>
<t>
<list style="hanging">
<t hangText="Un-initialized Device:">
<vspace blankLines="1"/>A device without VoIP client software. <vspace
blankLines="1"/>
</t>
<t hangText="Non-Service-Initialized Device:"><vspace blankLines="1"/> A device for
which there is no valid service contract with a provider of the services. Other
terms: "un-activated", "un-provisioned", or "unbranded" device. <vspace
blankLines="1"/></t>
<t hangText="Unauthenticated Emergency Service:">
<vspace blankLines="1"/> The term "unauthenticated emergency services" refers to
the case where an emergency caller does not have credentials (e.g., no SIM card,
no username and password, no private key) to successfully complete network access
authentication procedures or to use a VoIP service or both. <vspace blankLines="1"
/> The case of no credentials for network access is likely case in enterprise
networks, home networks, or governmental networks. In other cases the user might
be able to obtain such credentials, for example in hotspots found in hotels, at
airports, and in many coffee shops. Unfortunately, users have to go through a
lengthy procedure (often involving captive portals) to obtain a temporary account
in exchange of money. In emergency situations it is certainly not desirable to let
the user find their way through a number of webpages and to type-in their credit
card details. <vspace blankLines="1"/> It is important to differentiate between
the unavailability of credentials for network access and for VoIP access as the
network provider and the VoIP provider are often distinct entities and therefore
the user might have different credentials with the two. <vspace blankLines="1"/></t>
<t hangText="Unauthorized Emergency Service:">
<vspace blankLines="1"/> The term "unauthorized emergency services" refers to the
case where a device aims to attach to the network or to use a VoIP service but the
authorization procedure fails. The authorization step may fail as a consequence of
triggering different procedures (such as network access authentication or
registration at the VoIP providers registrar). Still, the device is granted
(limited) access to perform emergency calling. It is important to differentiate
between network operator and VoIP provider as they often refer to different
parties and therefore the authorization decision might be executed by a different
backend infrastructure. <vspace blankLines="1"/> Lack of authorization might be
caused by a number of reasons, including credit exhaustion, expired accounts,
locked account, missing access rights (e.g., access to the competitors enterprise
network), etc. <vspace blankLines="1"/>
</t>
</list>
</t>
-->
<t>This document reuses terminology from <xref target="I-D.ietf-geopriv-l7-lcp-ps"/> and
<xref target="RFC5012"/>, namely Internet Access Provider (IAP), Internet Service
Provider (ISP), Application Service Provider (ASP), Voice Service Provider (VSP),
Emergency Service Routing Proxy (ESRP), Public Safety Answering Point (PSAP), Location
Configuration Server (LCS), (emergency) service dial string, and (emergency) service
identifier. </t>
</section>
<!-- ////////////////////////////////////////////////////////////////////////////////// -->
<section anchor="architecture-1"
title="Considerations for ISPs to support Unauthenticated Emergency Services without Architecture Extensions">
<t> This section provides a recommended configuration for unauthenticated emergency
services support without architecture extensions.</t>
<t> On a very high-level, the steps to
be performed by an end host not being attached to
the network and the user starting to make an emergency call are the following: </t>
<t>
<list style="symbols">
<t>Some radio networks have added support for unauthenticated emergency access, some
other type of networks advertise these capabilities using layer beacons. The end
host learns about these unauthenticated emergency services capabilities either
from the link layer type or from link layer advertisement.</t>
<t>A security association may be established for the purpose of data
confidentiality at the link layer. However, since the
link layer is limited to a broadcast domain, it would be better
to establish a security association at higher layers.</t>
<t>The end host uses the link layer specific network attachment procedures defined
for unauthenticated network access in order to get access to emergency services.</t>
<t>When the link layer network attachment procedure is completed the end host learns
basic configuration information using DHCP from the ISP, including the address of
the LoST server. </t>
<t>The end host MUST use a Location Configuration Protocol (LCP) supported by the IAP
or ISP to learn its own location. </t>
<t>The end host MUST use the LoST protocol <xref target="I-D.ietf-ecrit-lost"/> to
query the LoST server and asks for the PSAP URI responsible for that location.</t>
<t>After the PSAP URI has been returned to the end host, the SIP UA in the end host
directly initiates a SIP INVITE towards the PSAP URI.</t>
</list>
</t>
<t> The IAP and the ISP will probably want to make sure that the claimed emergency caller
indeed performs an emergency call rather than using the network for other purposes, and
thereby acting fraudulent by skipping any authentication, authorization and accounting
procedures. By restricting access of the unauthenticated emergency caller to the LoST
server and the PSAP URI, traffic can be restricted only to emergency calls (see also
section 1.1). </t>
<t> Using the above procedures, the unauthenticated emergency caller will be successful
only if: </t>
<t>
<list style="symbols">
<t>the ISP (or the IAP) support an LCP that the end host can use to learn its
location. A list of mandatory-to-implement LCPs can be found in <xref
target="I-D.ietf-ecrit-phonebcp"/>). </t>
<t>the ISP configures it's firewalls appropriately to allow emergency calls to
traverse the network towards the PSAP. </t>
</list>
</t>
<t> Some IAPs/ISPs may not be able to fulfill the above requirements. If those IAPs/ISPs
want to support unauthenticated emergency calls, then they can deploy an extended
architecture as described in <xref target="architecture-2"/>. </t>
</section>
<!-- ////////////////////////////////////////////////////////////////////////////////// -->
<section anchor="architecture-2"
title="Considerations for ISPs to support Unauthenticated Emergency Services with Architecture Extensions">
<t> This section provides a recommended configuration for unauthenticated emergency
services support without architecture extensions.</t>
<t>For unauthenticated emergency services support it is insufficient to provide mechanisms
only at the link layer in order to bypass authentication for the cases when:</t>
<t>
<list style="symbols">
<t>the IAP/ISP does not support any Location Configuration Protocol</t>
<t>the IAP/ISP cannot assume the end hosts to support a Location Configuration
Protocol</t>
<t>the IAP/ISP does not have knowledge of a LoST server (which would assist the
client to find the correct PSAP)</t>
</list>
</t>
<t> A modification to the emergency services architecture is necessary since the IAP and
the ISP need to make sure that the claimed emergency caller indeed performs an emergency
call rather than using the network for other purposes, and thereby acting fraudulent by
skipping any authentication, authorization and accounting procedures. Hence, without
introducing some understanding of the specific application the ISP (and consequently the
IAP) will not be able to detect and filter malicious activities. This leads to the
architecture described in <xref target="arch-fig"/> where the IAP needs to implement
extensions to link layer procedures for unauthenticated emergency service access and the
ISP needs to deploy emergency services related entities used for call routing, such as
the Emergency Services Routing Proxy (ESRP), a Location Configuration Server (LCS) and a
mapping database.</t>
<t>On a very high-level, the interaction is as follows starting with the end host not being
attached to the network and the user starting to make an emergency call. </t>
<t>
<list style="symbols">
<!-- <t>With the exchange shown in (1) a link layer device, such as base stations and access
points, advertise their capability, for example using link layer beacons, to allow
unauthenticated emergency service network access. </t>
-->
<t>Some radio networks have added support for unauthenticated emergency access, some
other type of networks advertise these capabilities using layer beacons. The end
host learns about these unauthenticated emergency services capabilities either
from the link layer type or from link layer advertisement.</t>
<t>A security association may be established for the purpose of data
confidentiality at the link layer. However, since the
link layer is limited to a broadcast domain, it would be better
to establish a security association at higher layers.</t>
<t>The end host uses the link layer specific network attachment procedures defined
for unauthenticated network access in order to get access to emergency services.</t>
<!--
<t>The end host executes an EAP method that is suitable for unauthenticated network access
that does not require client-side authentication.</t>
-->
<t>When the link layer network attachment procedure is completed the end host learns
basic configuration information using DHCP from the ISP, including the address of
the ESRP, as shown in (2).</t>
<t>When the IP address configuration is completed then the SIP UA initiates a SIP
INVITE towards the indicated ESRP, as shown in (3). The INVITE message contains
all the necessary parameters required by <xref target="sip-client"/>.</t>
<t>The ESRP receives the INVITE and processes it according to the description in
<xref target="esrp-sip"/>. The location of the end host may need to be
determined using a protocol interaction shown in (4).</t>
<t>Potentially, an interaction between the LCS of the ISP and the LCS of the IAP may
be necessary, see (5).</t>
<t>Finally, the correct PSAP for the location of the end host has to be evaluated,
see (6).</t>
<t>The ESRP routes the call to the PSAP, as shown in (7).</t>
<t>The PSAP evaluates the initial INVITE and aims to complete the call setup. </t>
<t>Finally, when the call setup is completed media traffic can be exchanged between
the PSAP and the emergency caller.</t>
</list>
</t>
<t>For editorial reasons the end-to-end SIP and media exchange between the PSAP and SIP UA
are not shown in <xref target="arch-fig"/>.</t>
<t>Two important aspects are worth to highlight: </t>
<t>
<list style="symbols">
<t>The IAP/ISP needs to understand the concept of emergency calls or other emergency
applicationsand the SIP profile described in this document. No other VoIP protocol
profile, such as XMPP, Skype, etc., are supported for emergency calls in this
particular architecture. Other profiles may be added in the future, but the
deployment effort is enormous since they have to be universally deployed. </t>
<t>The end host has no obligation to determine location information. It may attach
location information if it has location available (e.g., from a GPS receiver).</t>
</list>
</t>
<t><xref target="arch-fig"/> shows that the ISP needs to deploy SIP-based emergency
services functionality. It is important to note that the ISP itself may outsource the
functionality by simply providing access to them (e.g., it puts the IP address of an
ESRP or a LoST server into an allow-list). For editorial reasons this outsourcing is not
shown.</t>
<t>
<figure anchor="arch-fig" title="Overview">
<artwork><![CDATA[
+---------------------------+
| |
| Emergency Network |
| Infrastructure |
| |
| +----------+ +----------+ |
| | PSAP | | ESRP | |
| | | | | |
| +----------+ +----------+ |
+-------------------^-------+
|
| (7)
+------------------------+-----------------------+
| ISP | |
| | |
|+----------+ v |
|| Mapping | (6) +----------+ |
|| Database |<----->| ESRP / | |
|+----------+ | SIP Proxy|<-+ |
|+----------+ +----------+ | +----------+|
|| LCS-ISP | ^ | | DHCP ||
|| |<---------+ | | Server ||
|+----------+ (4) | +----------+|
+-------^-------------------------+-----------^--+
+-------|-------------------------+-----------|--+
| IAP | (5) | | |
| V | | |
|+----------+ | | |
|| LCS-IAP | +----------+ | | |
|| | | Link | |(3) | |
|+----------+ | Layer | | | |
| | Device | | (2)| |
| +----------+ | | |
| ^ | | |
| | | | |
+------------------------+--------+-----------+--+
| | |
(1)| | |
| | |
| +----+ |
v v |
+----------+ |
| End |<-------------+
| Host |
+----------+
]]></artwork>
</figure>
</t>
<t>It is important to note that a single ESRP may also offer it's service to several
ISPs.</t>
</section>
<!-- ////////////////////////////////////////////////////////////////////////////////// -->
<section title="NAA considerations for the network attachment procedure of IAPs/ISPs">
<t>This section discusses different methods to indicate an emergency service request as part
of network attachment. It provides general considerations related to the access that
provides the actual IP connectivity, without assuming a specific access technology.
No specific recommendations are provided by this version of the document.</t>
<t>To perform network attachment and get access to the resources provided by an IAP/ISP, the
end host uses access technology specific network attachment procedures, including for
example network detection and selection, authentication and authorization, or setup of
service flows providing a specific quality-of-service level. For initial
network attachment of an emergency service requester, the method of how the emergency
indication is given to the IAP/ISP is specific to the access technology. However, a number
of general approaches can be identified:</t>
<t>- Link layer emergency indication: The end host provides an indication, e.g. an emergency
parameter or flag, as part of the link layer signaling for initial network attachment.
Examples include an explicit emergency bit signalled in the IEEE 802.16-2009 wireless
link, or tokens in 802.11 access that allow an access network to indicate emergency
capability to devices and can be mirrored back in case a device actually requests
emergency services during network entry as part of the lower-layer signaling.</t>
<t>- Higher-layer emergency indication: Typically emergency indication in access
authentication that is transparent to any access-specific lower-layer signaling.
The emergency caller's end host provides an indication as part of the
access authentication exchanges. EAP based authentication is of particular relevance
here.</t>
<section title="Link layer emergency indication">
<t>In general, link layer emergency indications provide good integration into the actual
network access procedures. This allows to recognize and prioritize an
emergency service request from an end host at a very early stage of the network
attachment procedure. However, support in end hosts for such methods cannot be
expected to be commonly available.</t>
<t>No general recommendations are given in the scope of this memo due to the following
reasons:</t>
<t>- Dependency on the specific access technology.</t>
<t>- Dependency on the specific access network architecture. Access authorization and
policy decisions typically happen at a different layers of the protocol stack and in
different entities than those terminating the link-layer signaling. As a result, link
layer indications need to be distributed and translated between the different involved
protocol layers and entities. Appropriate methods are specific to the actual
architecture of the IAP/ISP network.</t>
</section>
<section title="Higher-layer emergency indication">
<t>This section discusses pros and cons of emergency indications based on authentication
and authorization in EAP-based network access. No general recommendations like a
preferred method to indicate emergency are given in this version of the document.</t>
<t>An advantage of combining emergency indications with the actual network attachment
signaling performing authentication and authorization is the fact that the emergency
indication can directly be taken into account in the authentication and authorization
server. Such server implements the policy for granting access to the network resources. As a result,
there is no direct dependency on the access network architecture that would otherwise
need to take care of merging link-layer indications into the AA and policy decision
process.</t>
<t>EAP signaling happens at a relatively early stage of network attachment, so it is likely
to match most requirements for prioritization of emergency network entry. However, it does
not cover early stages of link layer activity in the network attachment process.
Possible conflicts may arise e.g. in case of MAC-based filtering in entities terminating
the link-layer signaling in the network (like a base station). In normal operation, EAP
messages including information like the EAP identity will only be recognized in the NAS.
Note that otherwise, a NAS is agnostic to the actual EAP method. Any entity residing
between end host and NAS cannot be expected to understand or digest information that
is exchanged as part of EAP messages, like EAP-related identities.</t>
<t>In practice, due to lack of a common standard there is no single way to provide higher
layer emergency indication during initial network entry as part of the NAI-formatted EAP
identity, and different systems use different methods. Examples include directly selecting
a special EAP identity (e.g. the NAI including the string 'emergency'), or NAI decoration.</t>
</section>
<section title="Securing network attachment in NAA cases">
<t>For network attachment in NAA cases, it may make sense to secure the link-layer
connection between the device and the IAP/ISP. This especially holds for wireless access
with an example being IEEE 802.16 based access that mandates secured
communication across the wireless link for all IAP/ISP networks based on <xref target="nwgstg3"/>.</t>
<t>Therefore, for network attachment that is by default based on EAP authentication it is
desirable <sm> [Not mandatory for IEEE 802.11, so perhaps we could remove these next couple of words] or even mandatory </sm>
also for NAA network attachment to use a key-generating EAP
method (that provides an MSK key to the authenticator to bootstrap further key
derivation for protecting the wireless link).</t>
<t>The following approaches to match the above can be identified. No preference is given
for one of the following methods as requirements may vary depending on the specific
environment:</t>
<t>1) Server-only authentication: The device of the emergency service requester performs
an EAP method with the IAP/ISP EAP server that performs server authentication only.
An example for this is EAP-TLS. This provides a certain level of assurance about the
IAP/ISP to the device user. It requires the device to be provisioned with appropriate
trusted root certificates to be able to verify the server certificate of the EAP server
(unless this step is explicitly skipped in the device in case of an emergency service
request).</t>
<t>2) Null authentication: an EAP method is performed. However, no credentials specific to
either the server or the device or subscription are used as part of the authentication
exchange. An example for this would be an EAP-TLS exchange with using the TLS_DH_anon
(anonymous) ciphersuite. Alternatively, a publicly available static key for emergency
access could be used. In the latter case, the device would need to be provisioned with
the appropriate emergency key for the IAP/ISP in advance.
</t>
<t>3) Device authentication: This case extends the server-only authentication case. If the
device is configured with a device certificate and the IAP/ISP EAP server can rely on a
trusted root allowing the EAP server to verify the device certificate, at least the
device identity (e.g. the MAC address) can be authenticated by the IAP/ISP in NAA cases.
An example for this are WiMAX devices that are shipped with device certificates issued
under the global WiMAX device public-key infrastructure. To perform unauthenticated
emergency calls, if allowed by the IAP/ISP, such devices perform EAP-TLS based network
attachment with client authentication based on the device certificate.</t>
</section>
</section>
<!-- ////////////////////////////////////////////////////////////////////////////////// -->
<section title="Profiles">
<section anchor="end-host" title="End Host Profile">
<section title="LoST Server Discovery">
<t> The end host MAY attempt to use <xref target="I-D.ietf-ecrit-lost"/> to discover
a LoST server. If that attempt fails, the end host SHOULD attempt to discover the
address of an ESRP. </t>
</section>
<section title="ESRP Discovery">
<t>The end host only needs an ESRP when location configuration or LoST server
discovery fails. If that is the case, then the end host MUST use the "Dynamic Host
Configuration Protocol (DHCP-for-IPv4) Option for Session Initiation Protocol
(SIP) Servers" <xref target="RFC3361"/> (for IPv6) and / or the "Dynamic Host
Configuration Protocol (DHCPv6) Options for Session Initiation Protocol (SIP)
Servers" <xref target="RFC3319"/> to discover the address of an ESRP. This SIP
proxy located in the ISP network will be used as the ESRP for routing emergency
calls. There is no need to discovery a separate SIP proxy with specific emergency
call functionality since the internal procedure for emergency call processing is
subject of ISP internal operation.</t>
</section>
<section title="Location Determination and Location Configuration">
<t>The end host SHOULD attempt to use the supported LCPs to configure its location.
If no LCP is supported in the end host or the location configuration is not
successful, then the end host MUST attempt to discover an ESRP, which would assist
the end host in providing the location to the PSAP. </t>
<t>The SIP UA in the end host SHOULD attach the location information in a PIDF-LO
<xref target="RFC4119"/> when making an emergency call. When constructing the
PIDF-LO the guidelines in PIDF-LO profile <xref
target="I-D.ietf-geopriv-pdif-lo-profile"/> MUST be followed. For civic
location information the format defined in <xref target="RFC5139"/> MUST be
supported.</t>
</section>
<section title="Emergency Call Identification">
<t> To determine which calls are emergency calls, some entity needs to map a user
entered dialstring into this URN scheme. A user may "dial" 1-1-2, but the call
would be sent to urn:service:sos. This mapping SHOULD be performed at the endpoint
device. It is recommended that the endpoint device be provisioned with relevant URN
information.</t>
<t>End hosts MUST use the Service URN mechanism <xref target="RFC5031"/> to mark
calls as emergency calls for their home emergency dial string (if known). For
visited emergency dial string the translation into the Service URN mechanism is
not mandatory since the ESRP in the ISPs network knows the visited emergency dial
strings. </t>
</section>
<section anchor="sip-client" title="SIP Emergency Call Signaling">
<t> SIP signaling capabilities <xref target="RFC3261"/> are mandated for end hosts. </t>
<t> The initial SIP signaling method is an INVITE. The SIP INVITE request MUST be
constructed according to the requirements in Section 9.2 <xref
target="I-D.ietf-ecrit-phonebcp"/>.</t>
<t>Regarding callback behavior SIP UAs MUST have a globally routable URI in a
Contact: header. </t>
</section>
<section anchor="client-media" title="Media">
<t>End points MUST comply with the media requirements for end points placing an
emergency call found in Section 14 of <xref target="I-D.ietf-ecrit-phonebcp"/>.
</t>
</section>
<section anchor="client-testing" title="Testing">
<t>The description in Section 15 of <xref target="I-D.ietf-ecrit-phonebcp"/> is fully
applicable to this document.</t>
</section>
</section>
<section anchor="isp" title="IAP/ISP Profile">
<section title="ESRP Discovery">
<t>An ISP hosting an ESRP MUST implement the server side part of "Dynamic Host
Configuration Protocol (DHCP-for-IPv4) Option for Session Initiation Protocol
(SIP) Servers" <xref target="RFC3361"/> (for IPv4) and / or the "Dynamic Host
Configuration Protocol (DHCPv6) Options for Session Initiation Protocol (SIP)
Servers" <xref target="RFC3319"/>.</t>
</section>
<section title="Location Determination and Location Configuration">
<t>The ISP not hosting an ESRP MUST support at least one widely used LCP. The ISP
hosting an ESRP MUST perform the neccesary steps to determine the location of the
end host. It is not necessary to standardize a specific mechanism.</t>
<t>The role of the ISP is to operate the LIS. The usage of HELD <xref
target="I-D.ietf-geopriv-http-location-delivery"/> with the identity extensions
<xref target="I-D.ietf-geopriv-held-identity-extensions"/> may be a
possible choice. It might be necessary for the ISP to talk to the IAP in order to
determine the location of the end host. The work on LIS-to-LIS communication may
be relevant, see <xref target="I-D.winterbottom-geopriv-lis2lis-req"/>.</t>
<!--
<t>Note that this architecture also fulfills the requirements for location hiding, see
<xref target="I-D.schulzrinne-ecrit-location-hiding-requirements"/>.</t>
-->
</section>
</section>
<section anchor="esrp" title="ESRP Profile">
<section title="Emergency Call Routing">
<t>The ESRP must route the emergency call to the PSAP responsible for the physical
location of the end host. However, a standardized approach for determining the
correct PSAP based on a given location is useful but not mandatory. </t>
<t>For cases where a standardized protocol is used LoST <xref
target="I-D.ietf-ecrit-lost"/> is a suitable mechanism.</t>
</section>
<section title="Emergency Call Identification">
<t>The ESRP MUST understand the Service URN mechanism <xref target="RFC5031"/> (i.e.,
the 'urn:service:sos' tree) and additionally the national emergency dial strings.
The ESRP SHOULD perform a mapping of national emergency dial strings to Service
URNs to simplify processing at PSAPs. </t>
</section>
<section anchor="esrp-sip" title="SIP Emergency Call Signaling">
<t> SIP signaling capabilities <xref target="RFC3261"/> are mandated for the ESRP.
The ESRP MUST process the messages sent by the client, according to <xref
target="sip-client"/>. Furthermore, the ESRP MUST be able to add a reference to
location information, as described in SIP Location Conveyance <xref
target="I-D.ietf-sip-location-conveyance"/>, before forwarding the call to the
PSAP. The ISP MUST be prepared to receive incoming dereferencing requests to
resolve the reference to the location information.</t>
</section>
<section title="Location Retrieval">
<t>The ESRP acts a location recipient and the usage of HELD <xref
target="I-D.ietf-geopriv-http-location-delivery"/> with the identity extensions
<xref target="I-D.ietf-geopriv-held-identity-extensions"/> may be a
possible choice. The ESRP would thereby act as a HELD client and the corresponding
LIS at the ISP as the HELD server.</t>
<t>The ESRP needs to obtain enough information to route the call. The ESRP itself,
however, does not necessarily need to process location information obtained via
HELD since it may be used as input to LoST to obtain the PSAP URI.</t>
<!--
The exact detail of the location information that needs to be understood by the ESRP for determining
the route towards the PSAP depends on the specifics of the emergency services infrastructure in the
corresponding country. For some countries it is sufficient almost no location information needs to be
understood to correctly route the call. For a generic solution, however, it is important
for the ESRP (or an associated entity making location information available to the PSAP)
MUST understand the PIDF-LO format <xref target="RFC4119"/>, the PIDF-LO profile <xref
target="I-D.ietf-geopriv-pdif-lo-profile"/> and the revised civic format <xref
target="RFC5139"/>.
</t>-->
</section>
</section>
</section>
<!-- ////////////////////////////////////////////////////////////////////////////////// -->
<!--
<section title="Example">
<t>[Editor's Note: A WLAN hotspot or a DSL home network example could go in here.]</t>
</section>
-->
<!-- ////////////////////////////////////////////////////////////////////////////////// -->
<!--
<section title="Example">
<t>[Editor's Note: A WLAN hotspot or a DSL home network example could go in here.]</t>
</section>
-->
<!-- ////////////////////////////////////////////////////////////////////////////////// -->
<section title="Security Considerations">
<t>The security threats discussed in <xref target="RFC5069"/> are applicable to this
document. A number of security vulnerabilities discussed in <xref
target="I-D.ietf-geopriv-arch"/> around faked location information are less
problematic in this case since location information does not need to be provided by the
end host itself or it can be verified to fall within a specific geographical area. </t>
<t>There are a couple of new vulnerabilities raised with unauthenticated emergency services
since the PSAP operator does is not in possession of any identity information about the
emergency call via the signaling path itself. In countries where this functionality is
used for GSM networks today this has lead to a significant amount of misuse. </t>
<t>The link layer mechanisms need to provide a special way of handling unauthenticated
emergency services. Although this subject is not a topic for the IETF itself but there
are at least a few high-level assumptions that may need to be collected. This includes
security features that may be desirable. </t>
</section>
<!-- ////////////////////////////////////////////////////////////////////////////////// -->
<section title="Acknowledgments">
<t> Section 6 of this document is derived from <xref target="I-D.ietf-ecrit-phonebcp"/>.
The WiMax Forum contributed parts of the terminology. Participants of the 2nd and 3rd
SDO Emergency Services Workshop provided helpful input. </t>
</section>
<!-- ////////////////////////////////////////////////////////////////////////////////// -->
<section title="IANA Considerations">
<t>This document does not require actions by IANA.</t>
</section>
<!-- ////////////////////////////////////////////////////////////////////////////////// -->
<!-- <section title="Open Issues">
<t>The following three high-level topics have been determined as open issues: <list
style="symbols">
<t>NAT Traversal: A certain NAT traversal story needs to be described and mandated.
Most likely ICE for both the PSAP and the end host.</t>
<t>A DNS-based discovery procedure that discovers an ESRP in the local access network
may need to be provided.</t>
<t>Text about link layer requirements are missing. These are necessary to make the
"big picture" complete. </t>
<t>EAP method for emergency calls: Some of the discussions around the liaison request
from the IEEE to the IETF EMU WG need to get reflected.</t>
<t>Quality of Service treatment for emergency calls has not been described in this
document</t>
</list>
</t>
</section>
-->
<!-- ////////////////////////////////////////////////////////////////////////////////// -->
</middle>
<!-- ////////////////////////////////////////////////////////////////////////////////// -->
<back>
<references title="Normative References"> &I-D.ietf-sip-location-conveyance; &RFC5031;
&RFC4119; &I-D.ietf-geopriv-pdif-lo-profile; &RFC5139; &RFC3361;
&RFC3319; &RFC3261; &RFC2119; &I-D.ietf-ecrit-phonebcp; &RFC5222;
&RFC5223;</references>
<references title="Informative References"> &I-D.ietf-ecrit-lost;
&I-D.ietf-geopriv-l7-lcp-ps; &I-D.ietf-ecrit-framework;
&I-D.ietf-geopriv-http-location-delivery; &RFC5012;
&I-D.ietf-geopriv-held-identity-extensions;
&I-D.winterbottom-geopriv-lis2lis-req; &RFC5069; &I-D.ietf-geopriv-arch;
<reference anchor="esw07">
<front>
<title>3rd SDO Emergency Services Workshop,
http://www.emergency-services-coordination.info/2007Nov/</title>
<author fullname="" initials="" surname="">
<organization/>
</author>
<date month="October 30th - November 1st" year="2007"/>
</front>
<format target="http://www.emergency-services-coordination.info/2007Nov/" type="html"/>
</reference>
<reference anchor="nwgstg3">
<front>
<title>WiMAX Forum WMF-T33-001-R015V01, WiMAX Network Architecture Stage-3
http://www.wimaxforum.org/sites/wimaxforum.org/files/
technical_document/2009/09/DRAFT-T33-001-R015v01-O_Network-Stage3-Base.pdf</title>
<author fullname="" initials="" surname="">
<organization/>
</author>
<date month="September" year="2009"/>
</front>
<format target="http://www.wimaxforum.org/sites/wimaxforum.org/files/technical_document/2009/09/DRAFT-T33-001-R015v01-O_Network-Stage3-Base.pdf" type="html"/>
</reference>
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-22 06:48:21 |