draft-ietf-ecrit-psap-callback-00.txt   draft-ietf-ecrit-psap-callback-01.txt 
ECRIT H. Schulzrinne ECRIT H. Schulzrinne
Internet-Draft Columbia University Internet-Draft Columbia University
Intended status: Informational H. Tschofenig Intended status: Informational H. Tschofenig
Expires: March 25, 2011 Nokia Siemens Networks Expires: April 28, 2011 Nokia Siemens Networks
M. Patel M. Patel
Nortel Nortel
September 21, 2010 October 25, 2010
Public Safety Answering Point (PSAP) Callbacks Public Safety Answering Point (PSAP) Callbacks
draft-ietf-ecrit-psap-callback-00.txt draft-ietf-ecrit-psap-callback-01.txt
Abstract Abstract
After an emergency call is completed (either prematurely terminated After an emergency call is completed (either prematurely terminated
by the emergency caller or normally by the call-taker) it is possible by the emergency caller or normally by the call-taker) it is possible
that the call-taker feels the need for further communication or for a that the call-taker feels the need for further communication or for a
clarification. For example, the call may have been dropped by clarification. For example, the call may have been dropped by
accident without the call-taker having sufficient information about accident without the call-taker having sufficient information about
the current situation of a wounded person. A call-taker may trigger the current situation of a wounded person. A call-taker may trigger
a callback towards the emergency caller using the contact information a callback towards the emergency caller using the contact information
provided with the initial emergency call. This callback could, under provided with the initial emergency call. This callback could, under
certain circumstances, then be treated like any other call and as a certain circumstances, then be treated like any other call and as a
consequence, it may get blocked by authorization policies or may get consequence, it may get blocked by authorization policies or may get
forwarded to an answering machine. forwarded to an answering machine.
The IETF emergency services architecture addresses callbacks in a The IETF emergency services architecture addresses callbacks in a
limited fashion and thereby covers a couple of scenarios. This limited fashion and thereby covers a couple of scenarios. This
document discusses some shortcomings and raises the question whether document discusses some shortcomings and illustrates an extension.
additional solution techniques are needed.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 25, 2011. This Internet-Draft will expire on April 28, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
skipping to change at page 2, line 29 skipping to change at page 2, line 26
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Routing Asymmetry . . . . . . . . . . . . . . . . . . . . 3 1.1. Routing Asymmetry . . . . . . . . . . . . . . . . . . . . 3
1.2. Multi-Stage Resolution . . . . . . . . . . . . . . . . . . 4 1.2. Multi-Stage Resolution . . . . . . . . . . . . . . . . . . 4
1.3. Call Forwarding . . . . . . . . . . . . . . . . . . . . . 5 1.3. Call Forwarding . . . . . . . . . . . . . . . . . . . . . 5
1.4. PSTN Interworking . . . . . . . . . . . . . . . . . . . . 7 1.4. PSTN Interworking . . . . . . . . . . . . . . . . . . . . 7
1.5. Network-based Service URN Resolution . . . . . . . . . . . 7 1.5. Network-based Service URN Resolution . . . . . . . . . . . 7
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 9 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 9
3. Design Approaches . . . . . . . . . . . . . . . . . . . . . . 10 3. Architecture . . . . . . . . . . . . . . . . . . . . . . . . . 10
4. Topics for Investigation . . . . . . . . . . . . . . . . . . . 13 4. Callback Marking . . . . . . . . . . . . . . . . . . . . . . . 12
5. Security Considerations . . . . . . . . . . . . . . . . . . . 14 5. Security Considerations . . . . . . . . . . . . . . . . . . . 13
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 15 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 15
7.1. Informative References . . . . . . . . . . . . . . . . . . 16 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16
7.2. Informative References . . . . . . . . . . . . . . . . . . 16 8.1. Informative References . . . . . . . . . . . . . . . . . . 16
8.2. Informative References . . . . . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 18 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 18
1. Introduction 1. Introduction
Summoning police, the fire department or an ambulance in emergencies Summoning police, the fire department or an ambulance in emergencies
is one of the fundamental and most-valued functions of the telephone. is one of the fundamental and most-valued functions of the telephone.
As telephone functionality moves from circuit-switched telephony to As telephone functionality moves from circuit-switched telephony to
Internet telephony, its users rightfully expect that this core Internet telephony, its users rightfully expect that this core
functionality will continue to work at least as well as it has for functionality will continue to work at least as well as it has for
the legacy technology. New devices and services are being made the legacy technology. New devices and services are being made
skipping to change at page 10, line 5 skipping to change at page 10, line 5
Figure 5: Example for Network-based Service URN Resolution Figure 5: Example for Network-based Service URN Resolution
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
Emergency services related terminology is borrowed from [RFC5012]. Emergency services related terminology is borrowed from [RFC5012].
3. Design Approaches 3. Architecture
The starting point of the investigations is the currently provided Section 4 describes how to mark a call as a callback. However, the
functionality in Section 13 of [I-D.ietf-ecrit-framework]. It pure emergency service callback marking is insufficient since it
focuses on identifying a response to a previously made emergency lacks any built-in security mechanism. Fortunately, available SIP
call. As described in the introduction this approach is quite coarse security techniques for the purpose of authorization can be re-used,
grained since any call from the PSAP's domain is given preferential as described in the rest of the section.
treatment. This approach is, however, likely going to be practical.
Still there are a couple of limitations, as discussed in this
document.
To expand on the initially provided solution the following In Figure 6 an interaction is presented that allows a SIP entity to
description starts with attempt to identify the caller as a PSAP. make a policy decision whether to bypass installed authorization
There are two approaches for accomplishing this functionality. policies and thereby providing preferential treatment. To make this
decision the sender's identity is compared with a whitelist of valid
PSAPs. The identity assurances in SIP can come in different forms,
such as SIP Identity [RFC4474] or with P-Asserted-Identity [RFC3325].
The former technique relies on a cryptographic assurance and the
latter on a chain of trust.
+----------+ +----------+
| List of |+ | List of |+
| valid || | valid ||
| PSAP ids || | PSAP ids ||
+----------+| +----------+|
+----------+ +----------+
* *
* whitelist * whitelist
* *
skipping to change at page 10, line 45 skipping to change at page 10, line 47
+----------+ +----------+
|| ||
|| ||
|| Preferential || Preferential
|| Treatment || Treatment
++=============> ++=============>
(in whitelist) (in whitelist)
Figure 6: Identity-based Authorization Figure 6: Identity-based Authorization
In Figure 6 an interaction is presented that allows a SIP entity to
make a policy decision whether to bypass installed authorization
policies and thereby providing preferential treatment. To make this
decision the sender's identity is compared with a whitelist of valid
PSAPs. The identity assurances in SIP can come in different forms,
such as SIP Identity [RFC4474] or with P-Asserted-Identity [RFC3325].
The former technique relies on a cryptographic assurance and the
latter on a chain of trust.
The establishment of a whitelist with PSAP identities is The establishment of a whitelist with PSAP identities is
operationally complex and does not easily scale world wide. When operationally complex and does not easily scale world wide. When
there is a local relationship between the VSP/ASP and the PSAP then there is a local relationship between the VSP/ASP and the PSAP then
populating the whitelist is far simpler. populating the whitelist is far simpler.
An alternative approach to an identity based authorization model is An alternative approach to an identity based authorization model is
outlined in Figure 7. In fact, RFC 4484 [RFC4484] already outlined in Figure 7. In fact, RFC 4484 [RFC4484] already
illustrated the basic requirements for this technique. illustrated the basic requirements for this technique.
+----------+ +----------+
skipping to change at page 12, line 5 skipping to change at page 12, line 5
In a trait-based authorization scenario an incoming SIP message In a trait-based authorization scenario an incoming SIP message
contains a form of trait, i.e. some form of assertion. The assertion contains a form of trait, i.e. some form of assertion. The assertion
contains an indication that the sending party has the role of a PSAP contains an indication that the sending party has the role of a PSAP
(or similar emergency services entity). The assertion is either (or similar emergency services entity). The assertion is either
cryptographically protected to enable end-to-end verification or an cryptographically protected to enable end-to-end verification or an
chain of trust security model has to be assumed. In Figure 7 we chain of trust security model has to be assumed. In Figure 7 we
assume an end-to-end security model where trust anchors are assume an end-to-end security model where trust anchors are
provisioned to ensure the ability for a SIP entity to verify the provisioned to ensure the ability for a SIP entity to verify the
received assertion. received assertion.
From a solution point of view various approaches are feasible, such 4. Callback Marking
as SIP SAML (see [I-D.ietf-sip-saml]) or URI Parameters for
indicating the Calling Party's Category and Originating Line
Information (see [I-D.patel-dispatch-cpc-oli-parameter]).
Still, a drawback of the outlined approaches above is that it does The callback marking is represented as URI parameter for an URI
not allow any mechanism to distinguish different types of calls scheme. The ABNF [RFC5234] syntax is as follows. The 'par'
initiated by PSAPs. Not every call from a PSAP is indeed a response production is defined in RFC 3966 [RFC3966]. The "/=" syntax
to an emergency call. indicates an extension of the production on the left-hand side:
This leads us to another mechanism on top of the previously presented par /= callback
onces, namely the indication is that the communication attempt is of
emergency nature. As such, it is a slight modification of the one
presented previously. In addition to the indication that the calling
party is a PSAP there is an expression that the specific call is of
emergency services nature. This indication cannot be verified by
external parties, similarly to the emergency call marking for a
citizen-to-authority emergency call using a Service URN, because it
heavily depends on the intention of the call taker itself.
4. Topics for Investigation callback = callback-tag "=" callback-value
When you make an IP-based emergency call to an IP-based PSAP then the callback-tag = "callback"
PSAP will get two pieces of identity information about the emergency
caller:
o Contact-URI: Information that uniquely identifies the device the callback-value = "normal" / "test" /
call came from.
o Address of Record: Long-term contact information The semantics of the callback values are described below:
Should the callback functionality be tied to a previous emergency normal: This represents an normal PSAP callback.
call setup and as such enabled only for a specific time? For
example, preferential treatment for callbacks could be provided only
within one hour after the initial emergency call was made.
Is it expected that the callback reaches primarily the device that test: This is a test callback.
initiated the emergency call? In some cases the device that was used
to originally initiate the call does not respond anymore to a
callback (e.g. imagine a fixed line phone that was used to report a
fire in a house and is out of order soon afterwards). Since the
initial emergency call provided a second contact mechanism (namely
the address of record) it could be used by the call taker as well.
Should this communication also experience the same type of override
privilege as the initially transmitted callback to the emergency
caller's device?
Should any restrictions be made regarding the media being used for An example of the "callback" parameter is given below:
callback? Is it acceptable to return an instant message when the
caller started the conversation with audio? From: <tel:+17005554141;callback=test>;tag=1928301774
5. Security Considerations 5. Security Considerations
This document provides discussions problems of PSAP callbacks and This document defines a callback marking scheme using URI parameters
explores the design space. and illustrates how to handle authorization for preferential
treatment.
An important aspect from a security point of view is the relationship An important aspect from a security point of view is the relationship
between the emergency services network and the VSP (assuming that the between the emergency services network and the VSP (assuming that the
emergency call travels via the VSP and not directly between the SIP emergency call travels via the VSP and not directly between the SIP
UA and the PSAP). If there is some form of relationship between the UA and the PSAP). If there is some form of relationship between the
emergency services operator and the VSP then the identification of a emergency services operator and the VSP then the identification of a
PSAP call back is less problematic than in the case where the two PSAP call back is less problematic than in the case where the two
entities have not entered in some form of relationship that would entities have not entered in some form of relationship that would
allow the VSP to verify whether the marked callback message indeed allow the VSP to verify whether the marked callback message indeed
came from a legitimate source. came from a legitimate source.
skipping to change at page 15, line 5 skipping to change at page 14, line 5
overriding user interface configurations, such as vibrate-only mode. overriding user interface configurations, such as vibrate-only mode.
As such, the requirement is to ensure that the mechanisms described As such, the requirement is to ensure that the mechanisms described
in this document can not be used for malicious purposes, including in this document can not be used for malicious purposes, including
SPIT. SPIT.
It is important that PSAP callback marked SIP messages, which cannot It is important that PSAP callback marked SIP messages, which cannot
be verified adequately, are treated like a call that does not have be verified adequately, are treated like a call that does not have
any marking attached instead of failing the call processing any marking attached instead of failing the call processing
procedure. procedure.
6. Acknowledgements 6. IANA Considerations
This document extends the registry of URI parameters, as defined RFC
3969 [RFC3969]. Two new URI parameters are defined in this document
as follows:
Parameter Name: callback
Predefined Values: Yes
Reference: This document
7. Acknowledgements
We would like to thank members from the ECRIT working group, in We would like to thank members from the ECRIT working group, in
particular Brian Rosen, for their discussions around PSAP callbacks. particular Brian Rosen, for their discussions around PSAP callbacks.
The working group discussed the topic of callbacks at their virtual The working group discussed the topic of callbacks at their virtual
interim meeting in February 2010 and the following persons provided interim meeting in February 2010 and the following persons provided
valuable input: John Elwell, Bernard Aboba, Cullen Jennings, Keith valuable input: John Elwell, Bernard Aboba, Cullen Jennings, Keith
Drage, Marc Linsner, Roger Marshall, Dan Romascanu, Geoff Thompson, Drage, Marc Linsner, Roger Marshall, Dan Romascanu, Geoff Thompson,
Milan Patel, Janet Gunn. Milan Patel, Janet Gunn.
7. References 8. References
7.1. Informative References 8.1. Informative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
7.2. Informative References 8.2. Informative References
[I-D.ietf-ecrit-framework] [I-D.ietf-ecrit-framework]
Rosen, B., Schulzrinne, H., Polk, J., and A. Newton, Rosen, B., Schulzrinne, H., Polk, J., and A. Newton,
"Framework for Emergency Calling using Internet "Framework for Emergency Calling using Internet
Multimedia", draft-ietf-ecrit-framework-11 (work in Multimedia", draft-ietf-ecrit-framework-11 (work in
progress), July 2010. progress), July 2010.
[I-D.ietf-sip-saml] [I-D.ietf-sip-saml]
Tschofenig, H., Hodges, J., Peterson, J., Polk, J., and D. Tschofenig, H., Hodges, J., Peterson, J., Polk, J., and D.
Sicker, "SIP SAML Profile and Binding", Sicker, "SIP SAML Profile and Binding",
draft-ietf-sip-saml-07 (work in progress), March 2010. draft-ietf-sip-saml-08 (work in progress), October 2010.
[I-D.patel-dispatch-cpc-oli-parameter]
Patel, M., Jesske, R., and M. Dolly, "Uniform Resource
Identifier (URI) Parameters for indicating the Calling
Party's Category and Originating Line Information",
draft-patel-dispatch-cpc-oli-parameter-03 (work in
progress), June 2010.
[I-D.patel-ecrit-sos-parameter]
Patel, M., "SOS Uniform Resource Identifier (URI)
Parameter for Marking of Session Initiation Protocol (SIP)
Requests related to Emergency Services",
draft-patel-ecrit-sos-parameter-09 (work in progress),
July 2010.
[RFC3325] Jennings, C., Peterson, J., and M. Watson, "Private [RFC3325] Jennings, C., Peterson, J., and M. Watson, "Private
Extensions to the Session Initiation Protocol (SIP) for Extensions to the Session Initiation Protocol (SIP) for
Asserted Identity within Trusted Networks", RFC 3325, Asserted Identity within Trusted Networks", RFC 3325,
November 2002. November 2002.
[RFC3966] Schulzrinne, H., "The tel URI for Telephone Numbers",
RFC 3966, December 2004.
[RFC3969] Camarillo, G., "The Internet Assigned Number Authority
(IANA) Uniform Resource Identifier (URI) Parameter
Registry for the Session Initiation Protocol (SIP)",
BCP 99, RFC 3969, December 2004.
[RFC4474] Peterson, J. and C. Jennings, "Enhancements for [RFC4474] Peterson, J. and C. Jennings, "Enhancements for
Authenticated Identity Management in the Session Authenticated Identity Management in the Session
Initiation Protocol (SIP)", RFC 4474, August 2006. Initiation Protocol (SIP)", RFC 4474, August 2006.
[RFC4484] Peterson, J., Polk, J., Sicker, D., and H. Tschofenig, [RFC4484] Peterson, J., Polk, J., Sicker, D., and H. Tschofenig,
"Trait-Based Authorization Requirements for the Session "Trait-Based Authorization Requirements for the Session
Initiation Protocol (SIP)", RFC 4484, August 2006. Initiation Protocol (SIP)", RFC 4484, August 2006.
[RFC5012] Schulzrinne, H. and R. Marshall, "Requirements for [RFC5012] Schulzrinne, H. and R. Marshall, "Requirements for
Emergency Context Resolution with Internet Technologies", Emergency Context Resolution with Internet Technologies",
RFC 5012, January 2008. RFC 5012, January 2008.
[RFC5031] Schulzrinne, H., "A Uniform Resource Name (URN) for [RFC5031] Schulzrinne, H., "A Uniform Resource Name (URN) for
Emergency and Other Well-Known Services", RFC 5031, Emergency and Other Well-Known Services", RFC 5031,
January 2008. January 2008.
[RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234, January 2008.
Authors' Addresses Authors' Addresses
Henning Schulzrinne Henning Schulzrinne
Columbia University Columbia University
Department of Computer Science Department of Computer Science
450 Computer Science Building 450 Computer Science Building
New York, NY 10027 New York, NY 10027
US US
Phone: +1 212 939 7004 Phone: +1 212 939 7004
 End of changes. 29 change blocks. 
97 lines changed or deleted 73 lines changed or added

This html diff was produced by rfcdiff 1.40. The latest version is available from http://tools.ietf.org/tools/rfcdiff/