ECRIT                                                     H. Schulzrinne
Internet-Draft                                       Columbia University
Intended status: Informational Standards Track                           H. Tschofenig
Expires: May 9, 2011 April 29, 2012                           Nokia Siemens Networks
                                                             C. Holmberg
                                                                Ericsson
                                                                M. Patel
                                             InterDigital Communications
                                                        November 5, 2010
                                                        October 27, 2011

             Public Safety Answering Point (PSAP) Callbacks
                 draft-ietf-ecrit-psap-callback-02.txt Callback
                 draft-ietf-ecrit-psap-callback-03.txt

Abstract

   After an emergency call is completed (either prematurely terminated
   by the emergency caller or normally by the call-taker) it is possible
   that the call-taker feels the need for further communication or for a
   clarification. communication.  For
   example, the call may have been dropped by accident without the call-taker call-
   taker having sufficient information about the current situation of a
   wounded person.  A call-taker may trigger a callback towards the
   emergency caller using the contact information provided with the
   initial emergency call.  This callback could, under certain
   circumstances, then be treated like any other call and as a
   consequence, consequence it
   may get blocked by authorization policies or may get forwarded to an
   answering machine.

   The IETF emergency services architecture addresses callbacks in a offers capabilities to allow
   callbask to bypass authorization policies to reach the caller without
   unnecessary delays.  However, the mechanism specified prior to this
   document supports only limited fashion and thereby covers a couple of scenarios.  This document discusses
   some shortcomings shortcomings, presents additional scenarios where better-than-
   normal call treatment behavior would be desirable, and illustrates an extension. specifies a
   protocol solution.

Status of this This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on May 9, 2011. April 29, 2012.

Copyright Notice

   Copyright (c) 2010 2011 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.1.  Routing Asymmetry  . . . .
   2.  Terminology  . . . . . . . . . . . . . . . .  3
     1.2.  Multi-Stage Resolution . . . . . . . . .  5
   3.  Callback Scenarios . . . . . . . . .  4
     1.3.  Call Forwarding . . . . . . . . . . . . .  6
     3.1.  Routing Asymmetry  . . . . . . . .  5
     1.4.  PSTN Interworking . . . . . . . . . . . .  6
     3.2.  Multi-Stage Routing  . . . . . . . .  7
     1.5.  Network-based Service URN Resolution . . . . . . . . . . .  7
   2.  Terminology  . .
     3.3.  Call Forwarding  . . . . . . . . . . . . . . . . . . . . .  8
     3.4.  Network-based Service URN Resolution . .  9
   3.  Architecture . . . . . . . . . 10
     3.5.  PSTN Interworking  . . . . . . . . . . . . . . . . 10
   4.  Callback Marking . . . . 11
   4.  Specification  . . . . . . . . . . . . . . . . . . . 12
     4.1.  Tel URI . . . . . 12
   5.  Security Considerations  . . . . . . . . . . . . . . . . . . . 13
   6.  IANA Considerations  . 12
     4.2.  SIP URI . . . . . . . . . . . . . . . . . . . . 14
   7.  Acknowledgements . . . . . 12
   5.  Security Considerations . . . . . . . . . . . . . . . . . . 15
   8.  References . 14
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
   7.  Acknowledgements . . . . 16
     8.1.  Normative References . . . . . . . . . . . . . . . . . . . 16
   8.
     8.2.  Informative References . . . . . . . . . . . . . . . . . . 17
   Appendix A.  Alternative Solutions Considered  . . . . . . . . 17
     8.1.  Normative References . . . . . . . 19
     A.1.  Identity-based Authorization . . . . . . . . . . . . 17
     8.2.  Informative References . . . 19
     A.2.  Trait-based Authorization  . . . . . . . . . . . . . . . 17
   Authors' Addresses . 20
     A.3.  Call Marking . . . . . . . . . . . . . . . . . . . . . . . 19 21

1.  Introduction

   Summoning police, the fire department or an ambulance in emergencies
   is one of the fundamental and most-valued functions of the telephone.
   As telephone functionality moves from circuit-switched telephony to
   Internet telephony, its users rightfully expect that this core
   functionality will continue to work at least as well as it has for
   the legacy technology.  New devices and services are being made
   available that could be used to make a request for help, which are
   not traditional telephones, and users are increasingly expecting them
   to be used to place emergency calls.

   Regulatory requirements demand that

   An overview of the protocol interactions for emergency call itself
   provides enough information to allow the call-taker to initiate a
   call back to calling using
   the IETF emergency caller services architecture are described in case
   [I-D.ietf-ecrit-framework] and [I-D.ietf-ecrit-phonebcp] specifies
   the technical details.  As part of the emergency call dropped or setup procedure
   two important identifiers are conveyed to
   interact with the emergency caller in case of further questions.
   Such a call, referred as PSAP callback subsequently in this document,
   may, however, be blocked or forwarded to an answering machine as SIP
   entities (SIP proxies as well as call-taker's user
   agent, namely the SIP UA itself) cannot associate Address-Of-Record (AoR), and the potential importantance of the call based on Globally Routable
   User Agent (UA) URIs (GRUU).  RFC 3261 [RFC3261] defines the AoR as:

      An address-of-record (AOR) is a SIP signaling.

      Note or SIPS URI that points to a
      domain with a location service that can map the authors are, however, not aware URI to another URI
      where the user might be available.  Typically, the location
      service is populated through registrations.  An AOR is frequently
      thought of regulatory as the "public address" of the user.

   In SIP systems a single user can have a number of user agents
   (handsets, softphones, voicemail accounts, etc.) which are all
   referenced by the same AOR.  There are a number of cases in which it
   is desirable to have an identifier which addresses a single user
   agent rather than the group of user agents indicated by an AOR.  The
   GRUU is such a unique user- agent identifier, which is still globally
   routable.  [RFC5627] specifies how to obtain and use GRUUs.

   Regulatory requirements for providing preferential treatment demand that the emergency call itself
   provides enough information to allow the call-taker to initiate a
   call back to the emergency caller in case the call dropped or to
   interact with the emergency caller in case of callbacks
      initiated further questions.  The
   AoR and the GRUU serve this purpose.  The communication attempt by
   the PSAP call-taker back to the emergency caller is called 'PSAP
   callback'.

   A PSAP callback may, however, be blocked by user configured whitelis
   or may be forwarded to an answering machine as SIP entities (SIP
   proxies as well as the SIP UA itself) cannot differentiate the
   callback from any other SIP call establishing attempt from the SIP
   signaling message.

   While there are no regulatory requirements at the time of writing of
   this specification there is the believe that PSAP towards callbacks have to
   be treated in such a way that they reach the emergency caller.

   Section 10 of [I-D.ietf-ecrit-framework] discusses the identifiers
   required  For
   this purpose guidance for callbacks, namely AOR URI and a globally routable URI PSAP callback handling has been provided in
   a Contact: header.
   Section 13 of [I-D.ietf-ecrit-framework] provides
   the following guidance regarding callback handling: [I-D.ietf-ecrit-framework]:

      A UA may be able to determine a PSAP call back by examining the
      domain of incoming calls after placing an emergency call and
      comparing that to the domain of the answering PSAP from the
      emergency call.  Any call from the same domain and directed to the
      supplied Contact header or AoR after an emergency call should be
      accepted as a call-back callback from the PSAP if it occurs within a
      reasonable time after an emergency call was placed.

   This approach mimics a stateful packet filtering firewall and is
   indeed helpful in a number of cases.  It is also relatively simple to
   implement.  Below,  Unfortunately, it does not work in all SIP deployment
   scenarios.  In Section 3 we discuss a few cases describe scenarios where this the currently
   standardized approach is insufficient.  In Section 4 a solution is
   described.

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

   Emergency services related terminology is borrowed from [RFC5012].

3.  Callback Scenarios

   This section illustrates a number of scenarios where the currently
   specified solution, as specified in [I-D.ietf-ecrit-phonebcp], for
   preferential treatment of callbacks fails.

1.1.  As explained in Section 1
   a SIP entity examines an incoming PSAP call back by comparing the
   domain of the PSAP with the destination domain of the emergency call.

3.1.  Routing Asymmetry

   In some deployment environments it is common to have incoming and
   outgoing SIP messaging to use routed through different SIP entities.
   Figure 1 shows this graphically whereby a VoIP provider uses
   different routes. SIP proxies for inbound and for outbound call handling.
   Unless they two devices are state synchronized the callback hitting
   the inbound proxy would get treated like any other call since the
   emergency call established state information at the outbound proxy
   only.

                                                   ,-------.
                                                 ,'         `.
                      ,-------.                 /  Emergency  \
                    ,'         `.              |   Services    |
                   /  VoIP       \      I      |   Network     |
                  |   Provider    |     n      |               |
                  |               |     t      |               |
                  |               |     e      |               |
                  |   +-------+   |     r      |               |
               +--+---|Inbound|<--+-----m      |               |
               |  |   |Proxy  |   |     e      |   +------+    |
               |  |   +-------+   |     d      |   |PSAP  |    |
               |  |               |     i      |   +--+---+    |
     +----+    |  |               |     a-+    |      |        |
     | UA |<---+  |               |     t |    |      |        |
     |    |----+  |               |     e |    |      |        |
     +----+    |  |               |       |    |      |        |
               |  |               |     P  |   |      |        |
               |  |               |     r  |   |      |        |
               |  |   +--------+  |     o   |  |      |        |
               +--+-->|Outbound|--+---->v   |  |   +--+---+    |
                  |   |Proxy   |  |     i    | | +-+ESRP  |    |
                  |   +--------+  |     d    | | | +------+    |
                  |               |     e     || |             |
                  |               |     r     |+-+             |
                   \             /             |               |
                    `.         ,'               \             /
                      '-------'                  `.         ,'
                                                   '-------'

                  Figure 1: Example for Routing Asymmetry

1.2.

3.2.  Multi-Stage Resolution Routing

   Consider the following emergency call routing scenario shown in
   Figure 2 where routing towards the PSAP occurs in several stages.  An
   emergency call uses  In
   this scenario we consider a SIP UA that does not run uses LoST on to learn the end point.
   Hence, next
   hop destination closer to the PSAP.  This call is marked with then sent to the 'urn:service:sos' Service URN
   [RFC5031].
   user's VoIP provider.  The user's VoIP provider receives the
   emergency call and
   determines where creates state based on the destination domain,
   namely state.com.  It then routes it to route it.  Local configuration or a LoST lookup
   might, in our example, reveal that emergency calls are routed via a
   dedicated provider FooBar and targeted the indicated ESRP.  When the
   ESRP receives it it needs to a specific entity, referred
   as esrp1@foobar.com.  FooBar does not handle emergency calls itself
   but performs another resolution step decide what the next hop is to get it
   closer to let calls enter the emergency
   services network and in this case another resolution step takes place
   and esrp-a@esinet.org PSAP.  In our example the next hop is determined as the recipient, pointing to an
   edge device at PSAP with the IP-based emergency services network.  Inside
   URI psap@town.com.

   When a callback is sent from psap@town.com towards the emergency services there might be more sophisticated routing taking
   place somewhat depending on
   caller the existing structure call will get normal treatment by the VoIP providers
   inbound proxy since the domain of the emergency
   services infrastructure.

                                      ,-------.
    +----+                          ,' PSAP does not match the stored
   state information.

                                         ,-------.
       +----+                          ,'         `.
       | UA |--- urn:service:sos esrp1@foobar.com     /  Emergency  \
       +----+   \                    |   Services    |
                 \  ,-------.        |   Network     |
                  ,'         `.      |               |
                 /   VoIP      \     |   +------+    |
                (    Provider   )    |   |PSAP  |    |
                 \             /     |   +--+---+    |
                  `.         ,'      |      |
                    '---+---'        |   +------+    |
                     |            |   |PSAP  |    |
             esrp1@foobar.com     |   +--+---+    |
                     |            |      |        |
                     |            |      |        |
                 ,---+---.
                        |            |psap@town.com  |
                esrp@state.com       |
               ,'         `.      |        |
                        |
              /   Provider  \     |            |      |
             +    FooBar     )        |
                        |            |
              \             /      |        |
                        |
               `.         ,'            |   +--+---+    |
                 '---+---'        | +-+ESRP  |    |
                        +------------+---+ESRP  |    |
                                     |   +------+    |
                                     |               | |             |
                     +------------+-+             |
                esrp-a@esinet.org |               |
                                      \             /
                                       `.         ,'
                                         '-------'

                 Figure 2: Example for Multi-Stage Resolution

1.3. Routing

3.3.  Call Forwarding

   Imagine the following case where an emergency call enters an
   emergency network (state.org) via an ERSP but then gets forwarded to
   a different emergency services network (in our example to police-
   town.org, fire-town.org or medic-town.org).  The same considerations
   apply when the the police, fire and ambulance networks are part of
   the state.org sub-domains (e.g., police.state.org).

   Similarly to the previous scenario the problem here is with the wrong
   state information being established during the emergency call setup
   procedure.  A callback would originate in the police-town.org, fire-
   town.org or medic-town.org domain whereas the emergency caller's SIP
   UA or the VoIP outbound proxy has stored state.org.

                                   ,-------.
                                 ,'         `.
                                /  Emergency  \
                               |   Services    |
                               |   Network     |
                               |   (state.org) |
                               |               |
                               |               |
                               |   +------+    |
                               |   |PSAP  +--+ |
                               |   +--+---+  | |
                               |      |      | |
                               |      |      | |
                               |      |      | |
                               |      |      | |
                               |      |      | |
                               |   +--+---+  | |
             ------------------+---+ESRP  |  | |
             esrp-a@state.org  |   +------+  | |
                               |             | |
                               |    Call Fwd | |
                               |     +-+-+---+ |
                                \    | | |    /
                                 `.  | | |  ,'
                                   '-|-|-|-'           ,-------.
                            Police   | | | Fire      ,'         `.
                        +------------+ | +----+     /  Emergency  \
         ,-------.      |              |      |    |   Services    |
       ,'         `.    |              |      |    |   Network     |
      /  Emergency  \   |          Ambulance  |    | fire-town.org |
     |   Services    |  |              |      |    |               |
     |   Network     |  |              +----+ |    |   +------+    |
     |police-town.org|  |     ,-------.     | +----+---+PSAP  |    |
     |               |  |   ,'         `.   |      |   +------+    |
     |   +------+    |  |  /  Emergency  \  |      |               |
     |   |PSAP  +----+--+ |   Services    | |      |               ,
     |   +------+    |    |   Network     | |      `~~~~~~~~~~~~~~~
     |               |    |medic-town.org | |
     |               ,    |               | |
     `~~~~~~~~~~~~~~~     |   +------+    | |
                          |   |PSAP  +----+ +
                          |   +------+    |
                          |               |
                          |               ,
                          `~~~~~~~~~~~~~~~

                   Figure 3: Example for Call Forwarding

1.4.

3.4.  Network-based Service URN Resolution

   The IETF emergency services architecture also considers cases where
   the resolution from the Service URN to the PSAP URI does not only
   happen at the SIP UA itself but at intermedidate SIP entities, such
   as the user's VoIP provider.

   Figure 4 shows this message exchange of the outgoing emergency call
   and the incoming PSAP graphically.  While the state information
   stored at the VoIP provider is correct the state allocated at the SIP
   UA is not.

        ,-------.
      ,'         `.
     /  Emergency  \
    |   Services    |
    |   Network     |
    |police-town.org|
    |               |
    |   +------+    |    Invite to police.example.com
    |   |PSAP  +<---+------------------------+
    |   |      +----+------------------+     ^
    |   +------+    |Invite from       |     |
    |               ,police.example.com|     |
    `~~~~~~~~~~~~~~~                   v     |
    +--------+                        ++-----+-+
    |        |            query       |VoIP    |
    | LoST   |<-----------------------|Service |
    | Server |   police.example.com   |Provider|
    |        |----------------------->|        |
    +--------+                        +--------+
                                       |     ^
                                 Invite|     | Invite
                                   from|     | to
                     police.example.com|     | urn:service:sos
                                       V     |
                                      +-------+
                                      | SIP   |
                                      | UA    |
                                      | Alice |
                                      +-------+

        Figure 4: Example for Network-based Service URN Resolution

3.5.  PSTN Interworking

   In case an emergency call enters the PSTN, as shown in Figure 4, 5,
   there is no guarantee that the callback some time later does leave
   the same PSTN/VoIP gateway or that the same end point identifier is
   used in the forward as well as in the backward direction making it
   difficult to reliably detect PSAP callbacks.

     +-----------+
     | PSTN      |-------------+
     | Calltaker |             |
     | Bob       |<--------+   |
     +-----------+         |   v
                -------------------
            ////                   \\\\      +------------+
           |                           |     |PSTN / VoIP |
           |             PSTN          |---->|Gateway     |
            \\\\                   ////      |            |
                -------------------          +----+-------+
                           ^                      |
                           |                      |
                     +-------------+              |  +--------+
                     |             |              |  |VoIP    |
                     | PSTN / VoIP |              +->|Service |
                     | Gateway     |                 |Provider|
                     |             |<------Invite----|   Y    |
                     +-------------+                 +--------+
                                                      |     ^
                                                      |     |
                                                    Invite Invite
                                                      |     |
                                                      V     |
                                                     +-------+
                                                     | SIP   |
                                                     | UA    |
                                                     | Alice |
                                                     +-------+

                  Figure 4: 5: Example for PSTN Interworking

1.5.  Network-based Service URN Resolution

   The mechanism described in [I-D.ietf-ecrit-framework] assumes that
   all devices at the call signaling path store information about

   Note: This scenario is considered outside the
   domain scope of this document.
   The specified solution does not support this use case.

4.  Specification

   [Editor's Note: The solution approach described in
   [I-D.holmberg-emergency-callback-id] will be discussed at the communication recipient.  This is necessary to match IETF#82
   ECRIT meeting and at the stored domain name against ECRIT mailing list and will be incorporated
   here if agreed by the domain working group.]

5.  Security Considerations

   [Editor's Note: Instead of the sender when an
   incoming call arrives.

   However, the IETF emergency services architecture also considers
   those cases where abstract security description text will
   be provided with the resolution from solution description.]

6.  IANA Considerations

   [Editor's Note: IANA consideration text will be added once an
   agreement on the Service URN solution has been reached.

7.  Acknowledgements

   We would like to thank members from the PSAP URI
   happens somewhere ECRIT working group, in
   particular Brian Rosen, for their discussions around PSAP callbacks.
   The working group discussed the network rather than immediately topic of callbacks at their virtual
   interim meeting in February 2010 and the end
   point itself.  In such following persons provided
   valuable input: John Elwell, Bernard Aboba, Cullen Jennings, Keith
   Drage, Marc Linsner, Roger Marshall, Dan Romascanu, Geoff Thompson,
   Janet Gunn.

   At IETF#81 a case, the end device is therefore not able
   to match the domain small group of people got to together to continue the sender with any information from
   discussions started at the
   outgoing emergency call.

   Figure 5 shows working group meeting to explore a GRUU-
   based solution approach.  Martin Thomson, Marc Linsner, Andrew Allen,
   Brian Rosen, Martin Dolly, and Atle Monrad participated at this message exchange graphically.

        ,-------.
      ,'         `.
     /  Emergency  \
    |   Services    |
    |   Network     |
    |police-town.org|
    |               |
    |   +------+    |    Invite side-
   meeting.

   Finally, we would like to police.example.com
    |   |PSAP  +<---+------------------------+
    |   |      +----+------------------+     ^
    |   +------+    |Invite from       |     |
    |               ,police.example.com|     |
    `~~~~~~~~~~~~~~~                   v     |
    +--------+                        ++-----+-+
    |        |            query       |VoIP    |
    | LoST   |<-----------------------|Service |
    | Server |   police.example.com   |Provider|
    |        |----------------------->|        |
    +--------+                        +--------+
                                       |     ^
                                 Invite|     | Invite
                                   from|     | to
                     police.example.com|     | urn:service:sos
                                       V     |
                                      +-------+
                                      | SIP   |
                                      | UA    |
                                      | Alice |
                                      +-------+

        Figure 5: Example thank Cullen Jennings for Network-based Service URN Resolution

2.  Terminology

   The key his discussion
   input.  He was the first to propose a "token-based" solution.

8.  References

8.1.  Normative References

   [RFC2119]                             Bradner, S., "Key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" for use
                                         in this
   document are RFCs to be interpreted as described in [RFC2119].

   Emergency services related terminology is borrowed from [RFC5012].

3.  Architecture

   Section 4 describes how Indicate Requirement
                                         Levels", BCP 14, RFC 2119,
                                         March 1997.

   [RFC3261]                             Rosenberg, J., Schulzrinne, H.,
                                         Camarillo, G., Johnston, A.,
                                         Peterson, J., Sparks, R.,
                                         Handley, M., and E. Schooler,
                                         "SIP: Session Initiation
                                         Protocol", RFC 3261, June 2002.

   [RFC3325]                             Jennings, C., Peterson, J., and
                                         M. Watson, "Private Extensions
                                         to mark a call as a callback.  However, the
   pure emergency service callback marking is insufficient since it
   lacks any built-in security mechanism.  Fortunately, available SIP
   security techniques Session Initiation
                                         Protocol (SIP) for Asserted
                                         Identity within Trusted
                                         Networks", RFC 3325,
                                         November 2002.

   [RFC3966]                             Schulzrinne, H., "The tel URI
                                         for Telephone Numbers",
                                         RFC 3966, December 2004.

   [RFC3969]                             Camarillo, G., "The Internet
                                         Assigned Number Authority
                                         (IANA) Uniform Resource
                                         Identifier (URI) Parameter
                                         Registry for the purpose of authorization can be re-used,
   as described Session
                                         Initiation Protocol (SIP)",
                                         BCP 99, RFC 3969,
                                         December 2004.

   [RFC4474]                             Peterson, J. and C. Jennings,
                                         "Enhancements for Authenticated
                                         Identity Management in the rest of the section.

   In Figure 6 an interaction is presented that allows a SIP entity to
   make a policy decision whether to bypass installed authorization
   policies and thereby providing preferential treatment.  To make this
   decision
                                         Session Initiation Protocol
                                         (SIP)", RFC 4474, August 2006.

   [RFC5341]                             Jennings, C. and V. Gurbani,
                                         "The Internet Assigned Number
                                         Authority (IANA) tel Uniform
                                         Resource Identifier (URI)
                                         Parameter Registry",
                                         September 2008.

   [RFC5627]                             Rosenberg, J., "Obtaining and
                                         Using Globally Routable User
                                         Agent URIs (GRUUs) in the sender's identity is compared with a whitelist of valid
   PSAPs.  The identity assurances
                                         Session Initiation Protocol
                                         (SIP)", RFC 5627, October 2009.

8.2.  Informative References

   [I-D.holmberg-emergency-callback-id]  Holmberg, C., "Session
                                         Initiation Protocol (SIP)
                                         emergency call back
                                         identification", draft-
                                         holmberg-emergency-callback-id-
                                         00 (work in SIP can come progress),
                                         October 2011.

   [I-D.ietf-ecrit-framework]            Rosen, B., Schulzrinne, H.,
                                         Polk, J., and A. Newton,
                                         "Framework for Emergency
                                         Calling using Internet
                                         Multimedia",
                                         draft-ietf-ecrit-framework-13
                                         (work in different forms,
   such as SIP Identity [RFC4474] or with P-Asserted-Identity [RFC3325].
   The former technique relies on a cryptographic assurance progress),
                                         September 2011.

   [I-D.ietf-ecrit-phonebcp]             Rosen, B. and the
   latter on a chain of trust.

                    +----------+
                    | List of  |+
                    | valid    ||
                    | PSAP ids ||
                    +----------+|
                     +----------+
                         *
                         * whitelist
                         *
                         V
      Incoming      +----------+    Normal
      SIP Msg       | SIP      |+   Treatment
     -------------->| Entity   ||=============>
      + Identity    |          ||(if not J. Polk, "Best
                                         Current Practice for
                                         Communications Services in whitelist)
                    +----------+|
                    +----------+
                         ||
                         ||
                         || Preferential
                         || Treatment
                         ++=============>
                           (in whitelist)

                  Figure 6: Identity-based Authorization

   The establishment
                                         support of a whitelist with PSAP identities is
   operationally complex Emergency Calling",
                                         draft-ietf-ecrit-phonebcp-20
                                         (work in progress),
                                         September 2011.

   [I-D.ietf-sip-saml]                   Tschofenig, H., Hodges, J.,
                                         Peterson, J., Polk, J., and does not easily scale world wide.  When
   there is a local relationship between the VSP/ASP D.
                                         Sicker, "SIP SAML Profile and the PSAP then
   populating the whitelist is far simpler.

   An alternative approach to an identity based authorization model is
   outlined
                                         Binding",
                                         draft-ietf-sip-saml-08 (work in Figure 7.  In fact, RFC 4484
                                         progress), October 2010.

   [RFC4484] already
   illustrated the basic requirements for                             Peterson, J., Polk, J., Sicker,
                                         D., and H. Tschofenig, "Trait-
                                         Based Authorization
                                         Requirements for the Session
                                         Initiation Protocol (SIP)",
                                         RFC 4484, August 2006.

   [RFC5012]                             Schulzrinne, H. and R.
                                         Marshall, "Requirements for
                                         Emergency Context Resolution
                                         with Internet Technologies",
                                         RFC 5012, January 2008.

   [RFC5031]                             Schulzrinne, H., "A Uniform
                                         Resource Name (URN) for
                                         Emergency and Other Well-Known
                                         Services", RFC 5031,
                                         January 2008.

   [RFC5234]                             Crocker, D. and P. Overell,
                                         "Augmented BNF for Syntax
                                         Specifications: ABNF", STD 68,
                                         RFC 5234, January 2008.

Appendix A.  Alternative Solutions Considered

   In an attempt to describe the problem and to explore solution
   approaches the working group had also investigated alternative
   approaches.  We document them here for completeness.  The solutions
   fall into three categories: (1) Identity-based authorization, (2)
   Trait-based authorization, and (3) Call Marking.  Even though these
   solutions are not mutually exclusive we describe them in separate
   sub-sections.

   Beyond the disadvantages listed in each solution category none of
   them provides the emergency caller with the ability to restrict
   preferential PSAP callback handling to those cases where an earlier
   emergency call was initiated.

A.1.  Identity-based Authorization

   In Figure 6 an interaction is presented that allows a SIP entity to
   make a policy decision whether to bypass installed authorization
   policies and thereby providing preferential treatment.  To make this technique.
   decision the sender's identity is compared with a whitelist of valid
   PSAPs.  The identity assurances in SIP can come in different forms,
   such as SIP Identity [RFC4474] or with P-Asserted-Identity [RFC3325].
   The former technique relies on a cryptographic assurance and the
   latter on a chain of trust.

                    +----------+
                    | List of  |+
                    | trust valid    ||
                    | anchor PSAP ids ||
                    +----------+|
                     +----------+
                         *
                         * whitelist
                         *
                         V
      Incoming      +----------+    Normal
      SIP Msg       | SIP      |+   Treatment
     -------------->| Entity   ||=============>
      + trait Identity    |          ||(no indication          ||(if not in whitelist)
                    +----------+| of PSAP)
                    +----------+
                         ||
                         ||
                         || Preferential
                         || Treatment
                         ++=============>
                         (indicated as
                          PSAP)
                           (in whitelist)

                  Figure 7: Trait-based 6: Identity-based Authorization

   In a trait-based authorization scenario an incoming SIP message
   contains a form of trait, i.e. some form

   This approach was not chosen because the establishment of assertion.  The assertion
   contains a whitelist
   containing PSAP identities is operationally complex and does not
   easily scale world wide.  Only when there is a local relationship
   between the VSP/ASP and the PSAP then populating the whitelist is far
   simpler.  This would, however, constrain the applicability of the
   mechanism considerably.

A.2.  Trait-based Authorization

   An alternative approach to an identity based authorization model is
   outlined in Figure 7.  In fact, RFC 4484 [RFC4484] illustrates a
   related emergency service use case.

                  +----------+
                  | List of  |+
                  | trust    ||
                  | anchor   ||
                  +----------+|
                   +----------+
                       *
                       *
                       *
                       V
    Incoming      +----------+    Normal
    SIP Msg       | SIP      |+   Treatment
   -------------->| Entity   ||=============>
    + trait       |          ||(no indication
                  +----------+| of PSAP)
                  +----------+
                       ||
                       ||
                       || Preferential
                       || Treatment
                       ++=============>
                         (indicated as
                          PSAP)

                    Figure 7: Trait-based Authorization

   In a trait-based authorization scenario an incoming SIP message
   contains a form of trait, i.e. some form of assertion.  The assertion
   contains an indication that the sending party has the role of a PSAP
   (or similar emergency services entity).  The assertion is either
   cryptographically protected to enable end-to-end verification or an
   chain of trust security model has to be assumed.  In Figure 7 we
   assume an end-to-end security model where trust anchors are
   provisioned to ensure the ability for a SIP entity to verify the
   received assertion.

4.  Callback Marking

   The callback marking is represented as URI parameter for an URI
   scheme.  The ABNF [RFC5234] syntax is shown below.

4.1.  Tel URI

   The 'par' production is defined in RFC 3966 [RFC3966].  The "/="
   syntax indicates an extension of the production on the left-hand
   side:

      par /= callback

      callback = callback-tag "=" callback-value

      callback-tag = "callback"

      callback-value = "normal" / "test" /

   The semantics of the callback values are described below:

      normal: This represents an normal PSAP callback.

      test: This is a test callback.

   An example of the "callback" parameter is given below:

   P-Asserted-Identity: <tel:+17005554141;callback=test>

4.2.  SIP URI

   The 'uri-parameter' production is defined in RFC 3966 [RFC3261].  The
   "/=" syntax indicates an extension of the production on the left-hand
   side:

      uri-parameter =/ callback

      callback = callback-tag "=" callback-value

      callback-tag = "callback"

      callback-value = "normal" / "test" /

   The semantics of the callback values are described below:

      normal: This represents an normal PSAP callback.

      test: This is a test callback.

   An example of the "callback" parameter is given below:

   P-Asserted-Identity: <sip:psap@example.com;callback=normal>

5.  Security Considerations

   This document defines a callback marking scheme using URI parameters
   and illustrates how to handle authorization for preferential
   treatment.  The URI parameter that is included for a URI MUST be used
   in concert with either the PAI [RFC3325] or the SIP Identity
   [RFC4474] header.  A pure From header does not provide security
   assurance that the calling party is indeed a PSAP.

   An important aspect from a security point of view is the relationship
   between the emergency services network and the VSP (assuming that the
   emergency call travels via the VSP and not directly between the SIP
   UA and the PSAP).  If there is some form of relationship between the
   emergency services operator and the VSP then the identification of a
   PSAP call back is less problematic than in the case where the two
   entities have not entered in some form of relationship that would
   allow the VSP to verify whether the marked callback message indeed
   came from a legitimate source.

   The main attack surface can be seen in the usage of PSAP callback
   marking to bypass blacklists, ignore call forwarding procedures and
   similar features to interact with users and to get their attention.
   For example, using PSAP callback marking devices would be able to
   recognize these types of incoming messages leading to the device
   overriding user interface configurations, such as vibrate-only mode.
   As such, the requirement is to ensure that the mechanisms described
   in this document can not be used for malicious purposes, including
   SPIT.

   A SIP entity MAY treat the call as a normal incoming call if it
   considers the request with the included URI parameter to be
   fraudulent, i.e. if it does not recognize the originator, or the
   domain from where the call originated from as being trusted/owned by
   a PSAP.  It is NOT RECOMMENDED to drop a call that is marked as PSAP
   callback in such a case since this may severely impact the ability
   for calltakers at PSAPs to contact emergency callers.

6.  IANA Considerations

   This document extends the registry of URI parameters for SIP, as
   defined in RFC 3969 [RFC3969].  A new SIP URI parameter is defined in
   this document as follows:

   Parameter Name: callback

   Predefined Values: Yes

   Reference: This document

   This document extends the registry of Tel URI parameters for SIP, as
   defined in RFC 5341[RFC5341].  A new Tel URI parameter is defined in
   this document as follows:

   Parameter Name: callback

   Predefined Values: Yes

   Reference: This document

7.  Acknowledgements

   We would like to thank members from the ECRIT working group, in
   particular Brian Rosen, for their discussions around PSAP callbacks.
   The working group discussed the topic of callbacks at their virtual
   interim meeting in February 2010 and the following persons provided
   valuable input: John Elwell, Bernard Aboba, Cullen Jennings, Keith
   Drage, Marc Linsner, Roger Marshall, Dan Romascanu, Geoff Thompson,
   Janet Gunn.

8.  References

8.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC3261]  Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
              A., Peterson, J., Sparks, R., Handley, M., and E.
              Schooler, "SIP: Session Initiation Protocol", RFC 3261,
              June 2002.

   [RFC3325]  Jennings, C., Peterson, J., and M. Watson, "Private
              Extensions to the Session Initiation Protocol (SIP) for
              Asserted Identity within Trusted Networks", RFC 3325,
              November 2002.

   [RFC3966]  Schulzrinne, H., "The tel URI for Telephone Numbers",
              RFC 3966, December 2004.

   [RFC3969]  Camarillo, G., "The Internet Assigned Number Authority
              (IANA) Uniform Resource Identifier (URI) Parameter
              Registry for a SIP entity to verify the Session Initiation Protocol (SIP)",
              BCP 99, RFC 3969, December 2004.

   [RFC4474]  Peterson, J. and C. Jennings, "Enhancements for
              Authenticated Identity Management
   received assertion.

   This solution was not chosen because trait-based authorization never
   got deployed in SIP.  Furthermore, in order to ensure that the Session
              Initiation Protocol (SIP)", RFC 4474, August 2006.

   [RFC5341]  Jennings, C. and V. Gurbani, "The Internet Assigned Number
              Authority (IANA) tel Uniform Resource Identifier (URI)
              Parameter Registry", September 2008.

8.2.  Informative References

   [I-D.ietf-ecrit-framework]
              Rosen, B., Schulzrinne, H., Polk, J., and A. Newton,
              "Framework
   assertions are properly protected it is necessary to digitally sign,
   which requires some form of public key infrastructure for Emergency Calling using Internet
              Multimedia", draft-ietf-ecrit-framework-12 (work in
              progress), October 2010.

   [I-D.ietf-sip-saml]
              Tschofenig, H., Hodges, J., Peterson, J., Polk, J., and D.
              Sicker, "SIP SAML Profile and Binding",
              draft-ietf-sip-saml-08 (work usage with
   emergency services.  Finally, there need to be some policies in progress), October 2010.

   [RFC4484]  Peterson, J., Polk, J., Sicker, D., place
   that define which entities are allowed to obtain various roles.
   These policies and H. Tschofenig,
              "Trait-Based Authorization Requirements for procedures do not exist today.

A.3.  Call Marking

   Call marking allows the Session
              Initiation Protocol (SIP)", RFC 4484, August 2006.

   [RFC5012]  Schulzrinne, H. and R. Marshall, "Requirements for
              Emergency Context Resolution with Internet Technologies",
              RFC 5012, January 2008.

   [RFC5031]  Schulzrinne, H., "A Uniform Resource Name (URN) PSAP to place a non-cryptographic label on
   outgoing calls that gives, when received by a SIP entity,
   preferential treatment for
              Emergency and Other Well-Known Services", RFC 5031,
              January 2008.

   [RFC5234]  Crocker, D. these callbacks.

   When used in isolation this mechanism introduces considerable denial
   of service attacks due to the ability to bypass any authorization
   policies and P. Overell, "Augmented BNF for Syntax
              Specifications: ABNF", STD 68, RFC 5234, January 2008. could be utilized to distribute unwanted traffic.

Authors' Addresses

   Henning Schulzrinne
   Columbia University
   Department of Computer Science
   450 Computer Science Building
   New York, NY  10027
   US

   Phone: +1 212 939 7004
   Email:
   EMail: hgs+ecrit@cs.columbia.edu
   URI:   http://www.cs.columbia.edu

   Hannes Tschofenig
   Nokia Siemens Networks
   Linnoitustie 6
   Espoo  02600
   Finland

   Phone: +358 (50) 4871445
   Email:
   EMail: Hannes.Tschofenig@gmx.net
   URI:   http://www.tschofenig.priv.at

   Christer Holmberg
   Ericsson
   Hirsalantie 11
   Jorvas  02420
   Finland

   EMail: christer.holmberg@ericsson.com

   Milan Patel
   InterDigital Communications

   Email:

   EMail: Milan.Patel@interdigital.com