ECRIT H. Schulzrinne Internet-Draft Columbia U. Expires: December 20, 2005 June 18, 2005 Location-to-URL Mapping Protocol (LUMP) draft-schulzrinne-ecrit-lump-00 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on December 20, 2005. Copyright Notice Copyright (C) The Internet Society (2005). Abstract LUMP (Location-to-URL Mapping Protocol) maps geographic locations, described as PIDF-LO objects containing civic or geospatial information, to one or more URLs. It is based on a standard RPC mechanism and supports updates. Clusters are used to ensure scaling and reliability. A flooding mechanism distributes top-level routing information. Naming authority can be delegated in any tree-like fashion, with multiple independent authorities for each level. Schulzrinne Expires December 20, 2005 [Page 1] Internet-Draft LUMP June 2005 Table of Contents 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 4. Introductory Example . . . . . . . . . . . . . . . . . . . . . 5 5. Overview of System Operation . . . . . . . . . . . . . . . . . 6 6. LUMP System Architecture . . . . . . . . . . . . . . . . . . . 7 7. Resolver Discovery . . . . . . . . . . . . . . . . . . . . . . 11 8. Protocol Operations . . . . . . . . . . . . . . . . . . . . . 12 8.1 Query . . . . . . . . . . . . . . . . . . . . . . . . . . 12 8.1.1 Query input . . . . . . . . . . . . . . . . . . . . . 12 8.1.2 Query Output . . . . . . . . . . . . . . . . . . . . . 13 8.1.3 Query Error . . . . . . . . . . . . . . . . . . . . . 14 8.2 Update . . . . . . . . . . . . . . . . . . . . . . . . . . 14 8.2.1 Update Input . . . . . . . . . . . . . . . . . . . . . 14 8.2.2 Update Output . . . . . . . . . . . . . . . . . . . . 14 8.2.3 Update Error . . . . . . . . . . . . . . . . . . . . . 15 8.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . 15 9. Configuring Emergency Dial Strings . . . . . . . . . . . . . . 15 10. Security . . . . . . . . . . . . . . . . . . . . . . . . . . 16 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 11.1 Normative References . . . . . . . . . . . . . . . . . . . 17 11.2 Informative References . . . . . . . . . . . . . . . . . . 17 Author's Address . . . . . . . . . . . . . . . . . . . . . . . 18 A. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 18 Intellectual Property and Copyright Statements . . . . . . . . 19 Schulzrinne Expires December 20, 2005 [Page 2] Internet-Draft LUMP June 2005 1. Terminology In this document, the key words "MUST", "MUSTNOT", "REQUIRED", "SHALL", "SHALLNOT", "SHOULD", "SHOULDNOT", "RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as described in RFC 2119 [1] and indicate requirement levels for compliant implementations. 2. Definitions In addition to the terms defined in [11], this document uses the following terms to describe LUMP: authoritative resolver: Resolver that can provide the authoritative answer to a particular set of queries, e.g., covering a set of PIDF-LO civic labels or a particular region described by a geometric shape. In some (rare) cases of territorial disputes, two resolvers may be authoritative for the same region. child: A child is a resolver that is authoritative for a subregion of a particular server. A child can in turn be parent. cluster: A cluster is a group of resolver (servers) that all share the same mapping information and return the same results for queries. Clusters provide redundancy and share query load. Clusters are fully-meshed, i.e., they all exchange updates with each other. complete: A civic mapping region is considered complete if it covers a set of hierarchical labels in its entirety, i.e., there is no other resolver that covers parts of the same region. (A complete mapping may have children that cover strict subsets of this region.) For example, a region spanning the whole country is complete, but a region spanning only some of the streets in a city is not. hint: A hint provides a mapping from a region to a server name, used to short-cut mapping operations. first resolver: The first resolver is the resolver contacted directly by the ESRP or end system to obtain a mapping. Architecturally, all resolvers can serve as first resolvers, although local policy may disallow this. leaf: A resolver that has no children. mapping: A mapping is a short-hand for 'mapping from a location object to one or more URLs describing either another mapping server or the desired PSAP URLs. parent: A resolver that covers the region of all of its children. A resolver without a parent is a root resolver. peer: A resolver maintains associations other resolvers, called peers. Peers synchronize their region maps. Schulzrinne Expires December 20, 2005 [Page 3] Internet-Draft LUMP June 2005 querier: The resolver, ESRP or end system requesting a mapping. region map: A data object describing a contiguous area covered by a resolver, either as a subset of a civic address or a geometric object. root region map: A data object describing a contiguous area covered by a resolver, with no parent map. resolver: The server providing (part of) the mapping service. Resolvers cooperate to offer the mapping service to queriers. root resolver: A resolver without parents is a root resolver. 3. Introduction The location-to-URL mapping protocol (LUMP) maps a civic or geospatial ocation, typically specified as a PIDF-LO object, to a set of URLs that describe the services available for that location. The initial application is the mapping of locations to the appropriate Public Safety Answering Point (PSAP) for emergency calling. It uses a common RPC protocol for its operations. LUMP has the following properties, described more fully later in this document: Satisfies the requirements [11] for mapping protocols. LUMP supportes lookup as well as address validation for civic addresses. LUMP re-uses of the most commonly used RPC protocol, SOAP, with a variety of transport and security options. (Other mechanisms, such as XML-RPC, may also work.) The choice is motivated by the availability of numerous well-tested implementations, both open and closed source, in just about any conceivable language framework (with the possible exception of Fortran and Cobol). LUMP uses a robust clustering and replication architectures that distributes load as widely as possible, with every resolver as an entry point. LUMP fully specifies mechanisms for distributing coverage-region information. Mapping can be based on either civic or geospatial location information, with no performance penalty for either. LUMP can be deployed bottom-deployment as well as top-down, with no need for a global coordinating body or the management of a global namespace or DNS name. The mechanism described does not require a country-level mapping server or a set of "root" servers. Mapping services can be offered close to the access network, by the VSP/ASP, or by independent third parties. LUMP supports a mechanism for updates and synchronization. LUMP uses automated cluster replication with guaranteed convergence properties for maximum robustness [7]. Schulzrinne Expires December 20, 2005 [Page 4] Internet-Draft LUMP June 2005 LUMP supports split responsibility for a single civic hierarchy level. (Example: A city has three public safety agencies, with three PSAPs and independent mapping databases, each covering a subset of the streets in the city.) LUMP can be extended to additional operations and data types. Scalable both horizontally and vertically, i.e., any number of servers can support each subset of the mapping information and the number of levels is not bounded. LUMP minimizes round trips by caching individual mappings as well as coverage regions ("hinting"). Unless otherwise desired, there is only one message exchange (roundtrip delay) between the ESRP or end system requesting a mapping and the designated resolver. This also facilitates reuse of TLS or other secure transport association across multiple queries. LUMP supports both exact and approximate (best-guess) matching, controllable by the querier. Mapping servers require only limited mutual trust. LUMP combines aspects of directory lookup protocols such as IRIS [8] and hierarchical name mapping protocols such as DNS. However, it tries to avoid the constraints imposed by these earlier protocols designed for different applications. For example, it is not bound to having a resolver hierarchy that reflects the hierarchical nature of a civic location and does not have to try to fit the non-hierarchical nature of geospatial addresses into a label hierarchy. LUMP tries to avoid the notion of root servers and allows bottom-up deployment. LUMP supoprts updates, as this is necessary to design a robust replication system that allows LUMP nodes from different providers to become members of a cluster, without relying on unspecified protocols. Unlike DNS, secure channel associations are included in the design, as the fan-out at each level of the hierarchy is likely to be much lower. Also, LUMP is not encumbered by label and character set restrictions that make use of DNS cumbersome. Both exact and best-effort matches are possible. 4. Introductory Example For this example, assume that there is a SIP-based VSPs V that offers a first resolver service to its customers. The VSP operates a cluster of such LUMP servers, advertised to their customers via DHCP. For simplicity, we only look at resolution by civic address; resolution by geo coordinates work exactly in the same fashion. Assume that in the United States, each state operates a resolver, covering the counties or parishes in the state. In our example, there is no server covering all of the United States or larger regions. Each county in the state in turn has a list of coverage regions, typically consisting of one or more PSAPs. The state Schulzrinne Expires December 20, 2005 [Page 5] Internet-Draft LUMP June 2005 servers have their own database that is not shared with the rest of country. Assume that the caller is located at 123 Broad Avenue, Bergen County, Leonia, New Jersey. An end user affiliated with V1 needs to place an emergency call and dials "9-1-1". The end device translates this into an "sos" URI, which reaches the outbound proxy operated by V1, acting as an ESRP here. The ESRP issues a LUMP request to the local first resolver, RV1. RV1 has stored the coverage regions for all the states and matches the request to the New Jersey server, using the PIDF-LO location information contained in the SIP INVITE request for the lookup operation. Since it operates in recursive mode, it in turn queries the New Jersey server, say, lump:state.nj.example.gov. That server does not want to reveal more detailed information to the caller and simple returns a URL for the state-wide emergency services proxy, say sip:sos@emergency.nj.example.gov. The ESRP routes the call to sip:sos@emergency.nj.example.gov, a SIP proxy server. In one or more resolution steps, that proxy server in turn consults a local LUMP server with the same PIDF-LO location information. Assume that the town of Leonia is served by two PSAPs, which do not share the same database. Streets south of a main road are served by one, those north by another. The state LUMP server only knows that Leonia has two such servers and issues a request to both, i.e., lump:north.leonianj.example.gov and lump: south.leonianj.example.gov. Broad Avenue is divided by this street, with 124 Broad Avenue happening to fall north of the dividing line. Both LUMP servers get the request and the northern server returns an answer, while the southern server indicates that this address is outside of its coverage region. The northern server returns the PSAP address, say, sip:police@leonianj.example.gov. The proxy simply routes the call to that location, including the location information. This is only one of many possible deployment scenarios. As noted elsewhere, the area served by each server does not have to correspond to a particular civic address level or can span multiple levels. The referral graph can differ between civic and geospatial addresses and can utilize completely different servers, beyond the first resolver. 5. Overview of System Operation A querier, such as an ESRP or end system, desiring to obtain a location mapping follows the steps below: Schulzrinne Expires December 20, 2005 [Page 6] Internet-Draft LUMP June 2005 Identify a resolver: Using either DHCP [2], a service location protocol such as DNS-SD [9] or SLP [6], a using-protocol configuration protocol (e.g., [10] for SIP) or another configuration mechanism, the querier obtains one DNS name for a LUMP server cluster. Determine a first resolver: The domain name obtained in the previous step is resolved using the associated SRV [3] resource record. The querier chooes the highest-priority server, and continues down the list if that server does not respond. As detailed in the SRV specification, a querier chooses randomly among multiple entries with the same weight. The use of DNSsec is RECOMMENDED. Send query to first resolver: The querier sends a LUMP query to the resolver identified in the previous step, using an existing or newly-established secure transport association. The query contains a PIDF-LO [4] object. The resolver either determines that it is authoritative for the location contained in the query or it determines the root server for the location using region maps stored locally. In either case, the first resolver issues the same query provided by the initial querier to the appropriate resolver, which then recurses until it can determine a set of URLs for this location. The resolution path is recorded in the query result and returned to the initial querier as an ordered list of URL, priority tuples. If the query does not match any existing record, the query returns an appropriate error code. However, if the query allowed for approximate mapping, a URL may be returned, with an appropriate warning. In the next section, we describe how LUMP works "behind the scenes" to perform this resolution. 6. LUMP System Architecture A LUMP system consists of resolvers, organized into one or more clusters. Each cluster member provides the same information and offers load scaling and redundancy. Each cluster may be authoritative for a set of location-to-URL bindings or it may simply forward queries to other such clusters. Cluster members automatically synchronize their data stores with each other, so that updates made in any one cluster node propagate automatically to all other cluster nodes, even if some nodes were unavailable when the update was performed. Cluster nodes can (and should) be geographically distributed for increased failure tolerance. It is RECOMMENDED that each cluster contains at least two members. All cluster members are listed in a single DNS SRV record, typically, but not necessarily, with equal priority. Since all resolvers within a cluster offer equivalent services, we often use the terms resolver and resolver cluster interchangeably where the precise host identity does not matter. Schulzrinne Expires December 20, 2005 [Page 7] Internet-Draft LUMP June 2005 Resolver clusters that are authoritative form a logical resolution hierarchy, i.e., resolvers can refer queries for more detailed resolution to other resolvers. The hierarchy is not tied to a particular element of the location object. For example, it does not have to follow a country, state/province, city, and street hierarchy. We refer to a resolver A referenced by by another resolver B as a child resolver in relation to that resolver B. /---------\ /-----------\ | first | peer | first | | resolver|------------| resolver | \----/----/ \-----\-----/ | \ | \ | . | \ | \ | cluster \ | ............\..... | . ,-, ,', . /-----\-----\ . | ------ | . | first | . | | | | . | resolver | . `/' `/' . \-----------/ . | | . . ,\, ,\, . . | ------ | . . | | | | . . `'' `'' . .................. In many cases, the degree of the tree will be modest. For example, if there were a resolver for the United States, it might have 51 child servers for the 50 states and the District of Columbia. We anticipate that fan-outs from 20 to 100 are common, as that seems to be a common span of control for each civic administrative level. For fan-outs of this order of magnitude, it becomes feasible for the parent resolver to maintain secure channel associations, e.g., via TLS, to all of its children, greatly accelerating the resolution process. Thus, when receiving a query, each resolver checks if the query can be ansered locally. The answer may contain a pointer to another resolver. For example, a server for the state of New Jersey in the United States might contain the following database entries A1 A2 URL resolver US NJ Atlantic - US NJ Bergen - Schulzrinne Expires December 20, 2005 [Page 8] Internet-Draft LUMP June 2005 US NJ Monmouth - In this example, the resolver has local knowledge that it only needs to match country, A1 and A2 elements. All other PIDF-LO elements are ignored in selecting a matching entry. This example shows a non-leaf resolver that only points to other resolvers. A leaf resolver contains at least some mapping URL, i.e., URLs of PSAPs. In the example below, Leonia is a town within Bergen county, with two streets, Broad and Grand. US NJ Bergen Leonia Broad sip:psap1@leonia.example.com US NJ Bergen Leonia Grand sip:psap2@leonia.example.com xmpp: Above, we assume that streets in Leonia are served by two different PSAPs, but contained in the same resolver. A more complicated example is the case where PSAPs within a single city, for example, cannot agree to operate a single resolver, but rather have each PSAP operate its own for its own coverage area. The division might be by street names, sides of street, or even by service (fire vs. police.) The leaf servers have entries as above, but the server handling Leonia (e.g., at the county level) would contain an entry such as US NJ Bergen Leonia lump:r1.example.com, lump:r2.example.com sip:psap@leonia.example.com When a query for Grand Avenue, Leonia reaches this resolver, the resolver obtains two answers, r1.example.com and r2.example.com, from its database. Since it does not know which of two child servers for Leonia knows about the PSAP for Grand Avenue, it sends a query to both servers. Typically, one server will return a failure response, indicating that it does not contain such a mapping, while the other will respond with a PSAP URL. If both respond with a failure to resolve, the county server in this example would return a default PSAP URL, here sip:psap@leonia.example.com. In the hopefully unlikely case of dueling PSAPs that both are claiming to serve Grand Avenue, both would return an answer and the combined answer would be returned. This mechanism can also deal with the case that there is no single emergency contact, but that different emergency services maintain their own citizen-facing call center operations. In that case, both servers might return an answer, one indicating the URL for the fire service, another police service. (Alternatively, the query could constrain the service.) While the example above returned two PSAP URLs, the same mechanism also works at non-leaf nodes to return resolver names. By explicitly Schulzrinne Expires December 20, 2005 [Page 9] Internet-Draft LUMP June 2005 allowing for split authority, we avoid the notion of lame delegations. (These examples do not imply that the database needs to be relational. An XML database, for example, might be used.) As described in more detail later in this document, queries can ask to be treated recursively, i.e., where the resolver returns a final answer, or iteratively, where it returns a resolver name if it cannot provide a PSAP URL. (This is similar in spirit to the DNS approach.) The description above shows how servers that are authoritative for a set of mappings obtain an answer, but does not solve the bootstrapping problem, namely finding the right first top-level server. This job is performed by so-called first resolvers, i.e., a set of resolvers that are directly contacted by queriers. In DNS terminology, LUMP makes all (first) resolvers "root" servers, i.e., capable of finding the right entry point into the tree. This not preclude operating LUMP in a manner similar to DNS, i.e., with a small number of root servers that handle the whole world, but we believe that coordination, deployment, robustness and administration are improved by allowing for a far more distributed entry point. In LUMP, each first resolver must be equipped with a map for the top- level regions of the world, each served by a hierarchy of authoritative servers. There is no need for these areas to be contiguous or exclusive, i.e., it is possible for the same geographic spot to be claimed by two entities. The system works even if only small areas of the world participate initially, without having to agree on root servers. Thus, for example, we can defer the issue of an international coordination body well into the future. (Editorial aside: the difficulties in deploying ENUM illustrate that such coordination causes significant delays and overhead.) As noted above, resolvers that are contacted directly by end systems or ESRPs are called first resolvers and all such first resolvers share a global region map, distributed by an application-layer broadcast mechanism. First resolvers may also be authoritative for a particular region, but that is not required. For example, a voice service provider might operate one or more resolvers that are used as first resolvers by its customers. Conversely, a resolver that is authoritative for a region may decide not to be able to serve as a first resolver and thus does not need to receive global region maps. This mechanism does not scale indefinitely, but we believe that it readily supports thousands of top-level authoritative resolvers. This belief is based on the scaling properties of Usenet, which uses a vaguely similar architecture as the one proposed here. Schulzrinne Expires December 20, 2005 [Page 10] Internet-Draft LUMP June 2005 The amount of data that needs to be distributed to all first resolvers is relatively small and likely to only see incremental updates as new regions are added or regions are split. Longer term, it appears likely that the number of such regions corresponds roughly to the number of countries, i.e., around 200. Regions described by civic addresses, e.g., a country or state, would have a single PIDF entry and a resolver URL. Regions described by a geospatial boundary would contain a GML polygon and a URL. It is hard to estimate bandwidth usage for distributing this information precisely, but reasonable estimates are probably measured in kilobytes per year. First resolvers peer with other resolvers to exchange top-level LUMP request routing information. Each resolver can peer with as many other resolvers as it deems administratively appropriate, as long as the set of first resolver clusters form a connected graph. (It is sufficient, albeit unwise, that only one server in a cluster peers with other servers.) If a new resolver covering a previously uncovered territory joins LUMP, it distributes an XMLDSIG-signed coverage map, consisting of a set of polygons to indicate geospatial coverage and/or a set of civic address labels and values to indicate civic coverage. These coverage regions are signed to prevent spoofing and to allow receiving resolvers to make policy choices if the same area is covered by two resolvers, e.g., for territories in dispute. (We assume that top- level regions are complete.) When receiving a map from a peer, a resolver distributes a copy to each of its other peers, flooding the map to the whole graph. When a new LUMP resolver joins a cluster or the overall LUMP graph, it requests the current set of regions from its peer. More precisely, it uses the XXX synchronization mechanism to determine whether it needs to update a peer. This avoids having multiply- connected peers receive multiple copies of the same region map. Somewhat simplified, a peer conveys to each peer a table of hash values reflecting the region maps it currently has stored. This mechanism also deals with memory loss in a resolver. Like DNS zone files, coverage regions carry an identifier and timestamp to allow receivers to replace old regions with new regions. Region maps do not expire; they are valid until replaced. (Expiration is not necessary since new ones are pushed to all resolvers.) 7. Resolver Discovery LUMP services may be operated by a variety of organizations and Schulzrinne Expires December 20, 2005 [Page 11] Internet-Draft LUMP June 2005 entities, including Internet service providers, Internet access providers, voice service providers, and specialized LUMP service providers, such as public safety agencies or commercial database vendors. Each of these can either advertise their own servers or servers operated by other entities. LUMP supports a range of resolver discovery mechanisms. Essentially, any discovery protocol may be used, including SLP [6], DNS-based [9] or UDDI. If the Internet service provider offers LUMP services, it may advertise these via DHCP. If the voice service provider offers LUMP services, it may include those in the SIP device configuration [10]. In general, it is advantageous to use a resolver that is close, in both a network topology and geographic sense, to the querier. Such proximity reduces the query latency due to reduced round-trip times and, in many cases, such servers will already have the necessary results cached, or at least pointers to appropriate authoritative resolvers and may already have established security associations with the appropriate resolver. 8. Protocol Operations In this section, we describe the protocol operations. Detailed information about query and response parameter lists are described in WSDL in TBD. 8.1 Query The query is the main operation in LUMP. The query includes a PIDF-LO object and returns a list of URLs, in addition to hints that can shorten the request path for future queries. 8.1.1 Query input location object: The location object used for the query, typically as PIDF-LO. location object format: The format of the location object, as an Internet media type (e.g., text/xml). service: The service desired, e.g., "emergency.fire" or "emergency". query precision: If set to "exact", the query fails if there is no precise match in all relevant location fields. If "partial", the matching algorithm may skip the least-significant parts of a civic address. If "soundex", the matching algorithm may use a sound- alike algorithm to find an approximate match. For example, the query "Main St" would match "Maine St". Other query precisions may be defined in the future. If the receiving resolver does not understand the query precision, it uses the "exact" matching Schulzrinne Expires December 20, 2005 [Page 12] Internet-Draft LUMP June 2005 algorithm. query mode: The query mode can be "recursive" or "iterative". In a recursive query, the resolver contacted for the query in turn attempts to resolve the query by contacting other servers if it is not authoritative for the location specified. In an iterative query, the resolver will return one or more LUMP URLs, in addition to any service URLs, that may be able to provide a more precise match. Resolvers MUST support an iterative query and SHOULD support a recursive query. 8.1.2 Query Output URL list: The URL list enumerates all URLs discovered during the search. Each list element includes the URL, an indication of the service offered by the URL, a positive integer reflecting the priority (with zero having the highest priority), a match quality indicator (drawn from the values "exact", "partial", "soundex") and a host name indicating the resolver that provided this answer. If further searches are possible, a lump: URL is included. Normally, such lump: URLs are only included if the querier requested iterative resolution. The service indicator is optional and included if the URL only offers a subset of services, e.g., police or fire for emergency services. The match quality is included if not all parts of the civic address were used for matching. It indicates the lowest-granularity indication by its PIDF-LO element name, such as A6. hint list: The hint list includes elements consisting of a LUMP URL, an expiration time and either a PIDF-LO containing civic information or a polygon. The hint indicates a region and its associated LUMP URL. For example, a hint with the region "CN=US A1= XXX" and URL=lump:nj.example.com would cause the resolver to direct all queries for this region to the nj.example.com server. The resolver MAY ignore hints. Hints are accumulated if a query is resolved recursively. To save space in responses, hints for geospatial regions may be subsets of the region covered. For example, instead of representing a country with a polygon having hundreds of line segments and precisely tracing the boundary, the hint may contain a simplified version that is strictly contained within the true boundary, but omits some regions close to the border. This causes most queries for that country to be resolved via the hinted URL, without having to store detailed maps. location object: Optionally, the query MAY return a location object that add information missing from the query object. For example, where available, it may provide the geospatial location of a landmark specified as a civic address in the query. Schulzrinne Expires December 20, 2005 [Page 13] Internet-Draft LUMP June 2005 path: A list of LUMP servers that was used for resolving the query, enumerated in the order used. 8.1.3 Query Error reason code: Describes why the query failed, including server failure, no precise match, invalid data, refusal to recurse. reason: Textual description of the error condition. path: The list of servers that was used for resolution, with the last server in the list as the source of the error. 8.2 Update The update operation is used to synchronize a server with a particular mapping from a PIDF-LO object to a set of URLs. This operation is used to inject new data into LUMP, by clusters to update other members of the cluster and to distribute region maps. A receiver of an update behaves slightly differently depending on whether the update was received from an external entity (i.e., a node that is either a peer or a fellow cluster member) or from a peer or cluster member. If a resolver receives data from outside or a peer, it updates all fellow cluster members. If a node receives data from a peer or data that is marked as global from outside, it also updates all other peers. This floods all global data to all LUMP servers. 8.2.1 Update Input location object type: A media type string indicating the type of the location object. global: A flag that indicates whether this object is a top-level region description and thus to be flooded, or not. (As noted elsewhere, accidental flooding of non-top-level regions does no harm beyond wasting bandwidth between resolvers.) region: The region, typically expressed as PIDF-LO or a polygon. URL list: The list of URLs (services or LUMP) that are associated with that region. replaces: Identifies, by hash value, the object that it replaces. This also allows a region to grow or shrink after an update. expires: The time that the region-to-location mapping expires. The location object, expiration time and URL are signed using XMLDSIG. 8.2.2 Update Output TBD Schulzrinne Expires December 20, 2005 [Page 14] Internet-Draft LUMP June 2005 8.2.3 Update Error TBD 8.3 Summary Resolvers within a cluster or peers exchange summary messages. A summary message contains a list of hashes that the sending node currently has within its object cache. The hashes include the same material covered by the XMLDSIG in the Update request above, i.e., include the expiration time. TBD: Bit vector instead? If the recipient determines that the sender of the summary is missing a particular element, it sends the missing pieces using Update requests. TBD: There are more efficient synchronization mechanisms, partially depending on the assumptions on the updates. See mSLP. 9. Configuring Emergency Dial Strings For the foreseeable future, some user devices and software will emulate the user interface of a telephone, i.e., the only way to enter call address information is via a 12-button keypad. Also, emergency numbers are likely to used until essentially all communication devices feature IP connectivity and an alphanumeric keyboard. Unfortunately, more than 60 emergency numbers are in use throughout the world, with many of those numbers serving non- emergency purposes elsewhere, e.g., identifying repair or directory services. Countries also occasionally change their emergency numbers, for example, by selecting a number already in use in other countries of a region (such as 112 in Europe). Thus, a system that allows devices to be used internationally to place emergency calls needs to allow devices to discover emergency numbers automatically. In the system proposed, these numbers are strictly of local significance and are generally not visible in call signaling messages. For simplicity of presentation, this section assumes that emergency numbers are valid throughout a country, rather than, say, be restricted to a particular city. This appears likely to be true in countries likely to deploy IP-based emergency calling solutions. In addition, the solution proposed also works if certain countries do not use a national emergency number. There is no requirement that a country uses a single emergency number for all emergency services, such as fire, police, or rescue. Schulzrinne Expires December 20, 2005 [Page 15] Internet-Draft LUMP June 2005 For the best user experience, systems should be able to discover two sets of numbers, namely those used in the user's home country and in the country the user is currently visiting. The user is most likely to remember the former, but a companion borrowing a device in an emergency may only know the local emergency numbers. Determining home and local emergency numbers is a configuration problem, but unfortunately, existing configuration mechanisms are ill-suited for this purpose. For example, a DHCP server might be able to provide the local emergency number, but not the home numbers. Similarly, SIP configuration would be able to provide the numbers valid at the location of the SIP service provider, but even a SIP service provider with national footprint may serve customers that are visiting any number of other countries. Since dial strings are represented as URLs [5], the problem of determining local and home emergency numbers is a problem of mapping locations to a set of URLs, i.e., exactly the problem that LUMP is solving already. The mapping operation is almost exactly the same as for determining the emergency service URL. The only difference is that if a querier knows the civic location at least to the country level, it will use a query where the PIDF-LO only includes the country code. If it only knows its geospatial location, it has to include that longitude and latitude. The querier uses the service identifiers "dialstring.emergency", "dialstring.emergency.fire", etc. The resolver returns the appropriate set of URLs and, if a geospatial location was used in the query, the current region map for the country. Within the LUMP system, emergency calling regions are global information, i.e., they are distributed using the peer broadcast mechanism described earlier. Thus, every resolver has access to all region mappings. This makes it possible that a querier can ask any resolver for this information, reducing the privacy threat of revealing its location outside of an emergency call. The privacy threat is further reduced by the long-lived nature of the information, i.e., in almost all cases, the querier will have already cached the national boundary information or country information on its first visit to the country, using the normal LUMP hinting mechanism. (Given the modest storage needs, a querier could even cache all boundary maps.) 10. Security LUMP addresses the following security issues, usually through the underlying transport security associations: Schulzrinne Expires December 20, 2005 [Page 16] Internet-Draft LUMP June 2005 Server impersonation: Queriers, cluster members and peers can assure themselves of the identity of the remote party by using the facilities in the underlying channel security mechanism, such as TLS. Query or query result corruption: To avoid that an attacker can modify the query or its result, LUMP RECOMMENDS the use of channel security, such as TLS. Region corruption: To avoid that a third party or an untrustworthy member of the LUMP server population introduces a region map that it is not authorized for, any peer introducing a new region map MUST sign the object by encapsulating the data into a CMS wrapper. A recipient MUST verify, through a local policy mechanism, that the signing entity is indeed authorized to speak for that region. Determining who can speak for a particular region is inherently difficult unless there is a small set of authorizing entities that resolvers can trust. Receiving resolvers should be particularly suspicious if an existing region map is replaced with a new one with a new resolver address. Additional threats that need to be addressed by operational measures include denial-of-service attacks. 11. References 11.1 Normative References [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [2] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, March 1997. [3] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for specifying the location of services (DNS SRV)", RFC 2782, February 2000. [4] Peterson, J., "A Presence-based GEOPRIV Location Object Format", draft-ietf-geopriv-pidf-lo-03 (work in progress), September 2004. [5] Rosen, B., "Dialstring parameter for the sip URI", draft-rosen-iptel-dialstring-01 (work in progress), February 2005. 11.2 Informative References [6] Guttman, E., Perkins, C., Veizades, J., and M. Day, "Service Location Protocol, Version 2", RFC 2608, June 1999. Schulzrinne Expires December 20, 2005 [Page 17] Internet-Draft LUMP June 2005 [7] Zhao, W., Schulzrinne, H., and E. Guttman, "Mesh-enhanced Service Location Protocol (mSLP)", RFC 3528, April 2003. [8] Newton, A. and M. Sanz, "IRIS: The Internet Registry Information Service (IRIS) Core Protocol", RFC 3981, January 2005. [9] Cheshire, S., "DNS-Based Service Discovery", draft-cheshire-dnsext-dns-sd-02 (work in progress), February 2004. [10] Petrie, D., "A Framework for Session Initiation Protocol User Agent Profile Delivery", draft-ietf-sipping-config-framework-06 (work in progress), February 2005. [11] Schulzrinne, H. and R. Marshall, "Requirements for Emergency Context Resolution with Internet Technologies", draft-schulzrinne-ecrit-requirements-00 (work in progress), May 2005. Author's Address Henning Schulzrinne Columbia University Department of Computer Science 450 Computer Science Building New York, NY 10027 US Phone: +1 212 939 7004 Email: hgs+ecrit@cs.columbia.edu URI: http://www.cs.columbia.edu Appendix A. Acknowledgments provided helpful comments. Schulzrinne Expires December 20, 2005 [Page 18] Internet-Draft LUMP June 2005 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2005). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Schulzrinne Expires December 20, 2005 [Page 19]