ECRIT H. Schulzrinne Internet-Draft Columbia University Intended status:InformationalStandards Track H. Tschofenig Expires:May 9, 2011April 29, 2012 Nokia Siemens Networks C. Holmberg Ericsson M. Patel InterDigital CommunicationsNovember 5, 2010October 27, 2011 Public Safety Answering Point (PSAP)Callbacks draft-ietf-ecrit-psap-callback-02.txtCallback draft-ietf-ecrit-psap-callback-03.txt Abstract After an emergency call is completed (either prematurely terminated by the emergency caller or normally by the call-taker) it is possible that the call-taker feels the need for furthercommunication or for a clarification.communication. For example, the call may have been dropped by accident without thecall-takercall- taker having sufficient information about the current situation of a wounded person. A call-taker may trigger a callback towards the emergency caller using the contact information provided with the initial emergency call. This callback could, under certain circumstances,thenbe treated like any other call and as aconsequence,consequence it may get blocked by authorization policies or may get forwarded to an answering machine. The IETF emergency services architectureaddresses callbacks in aoffers capabilities to allow callbask to bypass authorization policies to reach the caller without unnecessary delays. However, the mechanism specified prior to this document supports only limitedfashion and thereby covers a couple ofscenarios. This document discusses someshortcomingsshortcomings, presents additional scenarios where better-than- normal call treatment behavior would be desirable, andillustrates an extension.specifies a protocol solution. Status ofthisThis Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire onMay 9, 2011.April 29, 2012. Copyright Notice Copyright (c)20102011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 31.1. Routing Asymmetry . . .2. Terminology . . . . . . . . . . . . . . . . .3 1.2. Multi-Stage Resolution. . . . . . . . 5 3. Callback Scenarios . . . . . . . . . .4 1.3. Call Forwarding. . . . . . . . . . . . 6 3.1. Routing Asymmetry . . . . . . . . .5 1.4. PSTN Interworking .. . . . . . . . . . . 6 3.2. Multi-Stage Routing . . . . . . . .7 1.5. Network-based Service URN Resolution. . . . . . . . . . . 72. Terminology .3.3. Call Forwarding . . . . . . . . . . . . . . . . . . . . . 8 3.4. Network-based Service URN Resolution . . .9 3. Architecture. . . . . . . . 10 3.5. PSTN Interworking . . . . . . . . . . . . . . . . .10 4. Callback Marking. . . 11 4. Specification . . . . . . . . . . . . . . . . . . . .12 4.1. Tel URI. . . . 12 5. Security Considerations . . . . . . . . . . . . . . . . . . . 13 6. IANA Considerations . .12 4.2. SIP URI .. . . . . . . . . . . . . . . . . . . 14 7. Acknowledgements . . . . .12 5. Security Considerations. . . . . . . . . . . . . . . . . . 15 8. References .14 6. IANA Considerations. . . . . . . . . . . . . . . . . . . . .15 7. Acknowledgements. . . . 16 8.1. Normative References . . . . . . . . . . . . . . . . . . . 168.8.2. Informative References . . . . . . . . . . . . . . . . . . 17 Appendix A. Alternative Solutions Considered . . . . . . . .17 8.1. Normative References . . . . .. . 19 A.1. Identity-based Authorization . . . . . . . . . . . .17 8.2. Informative References. . . 19 A.2. Trait-based Authorization . . . . . . . . . . . . . . .17 Authors' Addresses. 20 A.3. Call Marking . . . . . . . . . . . . . . . . . . . . . . .1921 1. Introduction Summoning police, the fire department or an ambulance in emergencies is one of the fundamental and most-valued functions of the telephone. As telephone functionality moves from circuit-switched telephony to Internet telephony, its users rightfully expect that this core functionality will continue to work at least as well as it has for the legacy technology. New devices and services are being made available that could be used to make a request for help, which are not traditional telephones, and users are increasingly expecting them to be used to place emergency calls. An overview of the protocol interactions for emergency calling using the IETF emergency services architecture are described in [I-D.ietf-ecrit-framework] and [I-D.ietf-ecrit-phonebcp] specifies the technical details. As part of the emergency call setup procedure two important identifiers are conveyed to the PSAP call-taker's user agent, namely the Address-Of-Record (AoR), and the Globally Routable User Agent (UA) URIs (GRUU). RFC 3261 [RFC3261] defines the AoR as: An address-of-record (AOR) is a SIP or SIPS URI that points to a domain with a location service that can map the URI to another URI where the user might be available. Typically, the location service is populated through registrations. An AOR is frequently thought of as the "public address" of the user. In SIP systems a single user can have a number of user agents (handsets, softphones, voicemail accounts, etc.) which are all referenced by the same AOR. There are a number of cases in which it is desirable to have an identifier which addresses a single user agent rather than the group of user agents indicated by an AOR. The GRUU is such a unique user- agent identifier, which is still globally routable. [RFC5627] specifies how to obtain and use GRUUs. Regulatory requirements demand that the emergency call itself provides enough information to allow the call-taker to initiate a call back to the emergency caller in case the call dropped or to interact with the emergency caller in case of further questions.Such a call, referred asThe AoR and the GRUU serve this purpose. The communication attempt by the PSAP call-taker back to the emergency caller is called 'PSAP callback'. A PSAP callbacksubsequently in this document,may, however, be blocked by user configured whitelis or may be forwarded to an answering machine as SIP entities (SIP proxies as well as the SIP UA itself) cannotassociate the potential importantance ofdifferentiate the callback from any other SIP callbased onestablishing attempt from the SIPsignaling. Note that the authors are, however, not aware ofsignaling message. While there are no regulatory requirementsfor providing preferential treatment of callbacks initiated by the call-takerat the time of writing of this specification there is the believe that PSAPtowardscallbacks have to be treated in such a way that they reach the emergency caller.Section 10 of [I-D.ietf-ecrit-framework] discusses the identifiers requiredFor this purpose guidance forcallbacks, namely AOR URI and a globally routable URIPSAP callback handling has been provided ina Contact: header.Section 13 of[I-D.ietf-ecrit-framework] provides the following guidance regarding callback handling:[I-D.ietf-ecrit-framework]: A UA may be able to determine a PSAP call back by examining the domain of incoming calls after placing an emergency call and comparing that to the domain of the answering PSAP from the emergency call. Any call from the same domain and directed to the supplied Contact header or AoR after an emergency call should be accepted as acall-backcallback from the PSAP if it occurs within a reasonable time after an emergency call was placed. This approach mimics a stateful packet filtering firewall and is indeed helpful in a number of cases. It is also relatively simple to implement.Below,Unfortunately, it does not work in all SIP deployment scenarios. In Section 3 wediscuss a few casesdescribe scenarios wherethisthe currently standardized approach is insufficient. In Section 4 a solution is described. 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Emergency services related terminology is borrowed from [RFC5012]. 3. Callback Scenarios This section illustrates a number of scenarios where the currently specified solution, as specified in [I-D.ietf-ecrit-phonebcp], for preferential treatment of callbacks fails.1.1.As explained in Section 1 a SIP entity examines an incoming PSAP call back by comparing the domain of the PSAP with the destination domain of the emergency call. 3.1. Routing Asymmetry In some deployment environments it is common to have incoming and outgoing SIP messagingto userouted through different SIP entities. Figure 1 shows this graphically whereby a VoIP provider uses differentroutes.SIP proxies for inbound and for outbound call handling. Unless they two devices are state synchronized the callback hitting the inbound proxy would get treated like any other call since the emergency call established state information at the outbound proxy only. ,-------. ,' `. ,-------. / Emergency \ ,' `. | Services | / VoIP \ I | Network | | Provider | n | | | | t | | | | e | | | +-------+ | r | | +--+---|Inbound|<--+-----m | | | | |Proxy | | e | +------+ | | | +-------+ | d | |PSAP | | | | | i | +--+---+ | +----+ | | | a-+ | | | | UA |<---+ | | t | | | | | |----+ | | e | | | | +----+ | | | | | | | | | | P | | | | | | | r | | | | | | +--------+ | o | | | | +--+-->|Outbound|--+---->v | | +--+---+ | | |Proxy | | i | | +-+ESRP | | | +--------+ | d | | | +------+ | | | e || | | | | r |+-+ | \ / | | `. ,' \ / '-------' `. ,' '-------' Figure 1: Example for Routing Asymmetry1.2.3.2. Multi-StageResolutionRouting Consider the following emergency call routing scenario shown in Figure 2 where routing towards the PSAP occurs in several stages.An emergency call usesIn this scenario we consider a SIP UA thatdoes not runuses LoSTonto learn theend point. Hence,next hop destination closer to the PSAP. This call ismarked withthen sent to the'urn:service:sos' Service URN [RFC5031].user's VoIP provider. The user's VoIP provider receives the emergency call anddetermines wherecreates state based on the destination domain, namely state.com. It then routes it toroute it. Local configuration or a LoST lookup might, in our example, reveal that emergency calls are routed via a dedicated provider FooBar and targetedthe indicated ESRP. When the ESRP receives it it needs toa specific entity, referred as esrp1@foobar.com. FooBar does not handle emergency calls itself but performs another resolution stepdecide what the next hop is to get it closer tolet calls entertheemergency services network and in this case another resolution step takes place and esrp-a@esinet.orgPSAP. In our example the next hop isdetermined astherecipient, pointing to an edge device atPSAP with theIP-based emergency services network. InsideURI psap@town.com. When a callback is sent from psap@town.com towards the emergencyservices there might be more sophisticated routing taking place somewhat depending oncaller the call will get normal treatment by the VoIP providers inbound proxy since theexisting structuredomain of theemergency services infrastructure.PSAP does not match the stored state information. ,-------. +----+ ,' `. | UA |---urn:service:sosesrp1@foobar.com / Emergency \ +----+ \ | Services | \ ,-------. | Network | ,' `. | | / VoIP \ | +------+ | ( Provider ) | |PSAP | | \ / | +--+---+ | `. ,' | | '---+---' |+------+| | ||PSAP|psap@town.com | esrp@state.com |esrp1@foobar.com|+--+---+ | | | | | | | | | ,---+---.| | |,' `. | | | / Provider \ | ||+ FooBar )| | |\ /| | |`. ,'| +--+---+ |'---+---' | +-+ESRP | |+------------+---+ESRP | | | +------+ | | || | +------------+-+ | esrp-a@esinet.org | |\ / `. ,' '-------' Figure 2: Example for Multi-StageResolution 1.3.Routing 3.3. Call Forwarding Imagine the following case where an emergency call enters an emergency network (state.org) via an ERSP but then gets forwarded to a different emergency services network (in our example to police- town.org, fire-town.org or medic-town.org). The same considerations apply when the the police, fire and ambulance networks are part of the state.org sub-domains (e.g., police.state.org). Similarly to the previous scenario the problem here is with the wrong state information being established during the emergency call setup procedure. A callback would originate in the police-town.org, fire- town.org or medic-town.org domain whereas the emergency caller's SIP UA or the VoIP outbound proxy has stored state.org. ,-------. ,' `. / Emergency \ | Services | | Network | | (state.org) | | | | | | +------+ | | |PSAP +--+ | | +--+---+ | | | | | | | | | | | | | | | | | | | | | | | +--+---+ | | ------------------+---+ESRP | | | esrp-a@state.org | +------+ | | | | | | Call Fwd | | | +-+-+---+ | \ | | | / `. | | | ,' '-|-|-|-' ,-------. Police | | | Fire ,' `. +------------+ | +----+ / Emergency \ ,-------. | | | | Services | ,' `. | | | | Network | / Emergency \ | Ambulance | | fire-town.org | | Services | | | | | | | Network | | +----+ | | +------+ | |police-town.org| | ,-------. | +----+---+PSAP | | | | | ,' `. | | +------+ | | +------+ | | / Emergency \ | | | | |PSAP +----+--+ | Services | | | , | +------+ | | Network | | `~~~~~~~~~~~~~~~ | | |medic-town.org | | | , | | | `~~~~~~~~~~~~~~~ | +------+ | | | |PSAP +----+ + | +------+ | | | | , `~~~~~~~~~~~~~~~ Figure 3: Example for Call Forwarding1.4.3.4. Network-based Service URN Resolution The IETF emergency services architecture also considers cases where the resolution from the Service URN to the PSAP URI does not only happen at the SIP UA itself but at intermedidate SIP entities, such as the user's VoIP provider. Figure 4 shows this message exchange of the outgoing emergency call and the incoming PSAP graphically. While the state information stored at the VoIP provider is correct the state allocated at the SIP UA is not. ,-------. ,' `. / Emergency \ | Services | | Network | |police-town.org| | | | +------+ | Invite to police.example.com | |PSAP +<---+------------------------+ | | +----+------------------+ ^ | +------+ |Invite from | | | ,police.example.com| | `~~~~~~~~~~~~~~~ v | +--------+ ++-----+-+ | | query |VoIP | | LoST |<-----------------------|Service | | Server | police.example.com |Provider| | |----------------------->| | +--------+ +--------+ | ^ Invite| | Invite from| | to police.example.com| | urn:service:sos V | +-------+ | SIP | | UA | | Alice | +-------+ Figure 4: Example for Network-based Service URN Resolution 3.5. PSTN Interworking In case an emergency call enters the PSTN, as shown in Figure4,5, there is no guarantee that the callback some time later does leave the same PSTN/VoIP gateway or that the same end point identifier is used in the forward as well as in the backward direction making it difficult to reliably detect PSAP callbacks. +-----------+ | PSTN |-------------+ | Calltaker | | | Bob |<--------+ | +-----------+ | v ------------------- //// \\\\ +------------+ | | |PSTN / VoIP | | PSTN |---->|Gateway | \\\\ //// | | ------------------- +----+-------+ ^ | | | +-------------+ | +--------+ | | | |VoIP | | PSTN / VoIP | +->|Service | | Gateway | |Provider| | |<------Invite----| Y | +-------------+ +--------+ | ^ | | Invite Invite | | V | +-------+ | SIP | | UA | | Alice | +-------+ Figure4:5: Example for PSTN Interworking1.5. Network-based Service URN ResolutionNote: This scenario is considered outside the scope of this document. Themechanismspecified solution does not support this use case. 4. Specification [Editor's Note: The solution approach described in[I-D.ietf-ecrit-framework] assumes that all devices[I-D.holmberg-emergency-callback-id] will be discussed at thecall signaling path store information about the domain of the communication recipient. This is necessary to matchIETF#82 ECRIT meeting and at thestored domain name againstECRIT mailing list and will be incorporated here if agreed by thedomainworking group.] 5. Security Considerations [Editor's Note: Instead ofthe sender whenanincoming call arrives. However, the IETF emergency services architecture also considers those cases whereabstract security description text will be provided with theresolution fromsolution description.] 6. IANA Considerations [Editor's Note: IANA consideration text will be added once an agreement on theService URNsolution has been reached. 7. Acknowledgements We would like to thank members from the ECRIT working group, in particular Brian Rosen, for their discussions around PSAPURI happens somewherecallbacks. The working group discussed the topic of callbacks at their virtual interim meeting in February 2010 and thenetwork rather than immediatelyfollowing persons provided valuable input: John Elwell, Bernard Aboba, Cullen Jennings, Keith Drage, Marc Linsner, Roger Marshall, Dan Romascanu, Geoff Thompson, Janet Gunn. At IETF#81 a small group of people got to together to continue the discussions started at theend point itself. In suchworking group meeting to explore acase,GRUU- based solution approach. Martin Thomson, Marc Linsner, Andrew Allen, Brian Rosen, Martin Dolly, and Atle Monrad participated at this side- meeting. Finally, we would like to thank Cullen Jennings for his discussion input. He was theend device is therefore not ablefirst to propose a "token-based" solution. 8. References 8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, June 2002. [RFC3325] Jennings, C., Peterson, J., and M. Watson, "Private Extensions tomatchthedomain ofSession Initiation Protocol (SIP) for Asserted Identity within Trusted Networks", RFC 3325, November 2002. [RFC3966] Schulzrinne, H., "The tel URI for Telephone Numbers", RFC 3966, December 2004. [RFC3969] Camarillo, G., "The Internet Assigned Number Authority (IANA) Uniform Resource Identifier (URI) Parameter Registry for thesender with any information fromSession Initiation Protocol (SIP)", BCP 99, RFC 3969, December 2004. [RFC4474] Peterson, J. and C. Jennings, "Enhancements for Authenticated Identity Management in theoutgoingSession Initiation Protocol (SIP)", RFC 4474, August 2006. [RFC5341] Jennings, C. and V. Gurbani, "The Internet Assigned Number Authority (IANA) tel Uniform Resource Identifier (URI) Parameter Registry", September 2008. [RFC5627] Rosenberg, J., "Obtaining and Using Globally Routable User Agent URIs (GRUUs) in the Session Initiation Protocol (SIP)", RFC 5627, October 2009. 8.2. Informative References [I-D.holmberg-emergency-callback-id] Holmberg, C., "Session Initiation Protocol (SIP) emergencycall. Figure 5 shows this message exchange graphically. ,-------. ,' `. /call back identification", draft- holmberg-emergency-callback-id- 00 (work in progress), October 2011. [I-D.ietf-ecrit-framework] Rosen, B., Schulzrinne, H., Polk, J., and A. Newton, "Framework for Emergency\ |Calling using Internet Multimedia", draft-ietf-ecrit-framework-13 (work in progress), September 2011. [I-D.ietf-ecrit-phonebcp] Rosen, B. and J. Polk, "Best Current Practice for Communications Services| | Network | |police-town.org| | | | +------+ | Invite to police.example.com | |PSAP +<---+------------------------+ | | +----+------------------+ ^ | +------+ |Invite from | | | ,police.example.com| | `~~~~~~~~~~~~~~~ v | +--------+ ++-----+-+ | | query |VoIP | | LoST |<-----------------------|Service | | Server | police.example.com |Provider| | |----------------------->| | +--------+ +--------+ | ^ Invite| | Invite from| | to police.example.com| | urn:service:sos V | +-------+ | SIP | | UA | | Alice | +-------+ Figure 5: Examplein support of Emergency Calling", draft-ietf-ecrit-phonebcp-20 (work in progress), September 2011. [I-D.ietf-sip-saml] Tschofenig, H., Hodges, J., Peterson, J., Polk, J., and D. Sicker, "SIP SAML Profile and Binding", draft-ietf-sip-saml-08 (work in progress), October 2010. [RFC4484] Peterson, J., Polk, J., Sicker, D., and H. Tschofenig, "Trait- Based Authorization Requirements forNetwork-based Service URNthe Session Initiation Protocol (SIP)", RFC 4484, August 2006. [RFC5012] Schulzrinne, H. and R. Marshall, "Requirements for Emergency Context Resolution2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",with Internet Technologies", RFC 5012, January 2008. [RFC5031] Schulzrinne, H., "A Uniform Resource Name (URN) for Emergency and"OPTIONAL" in this document areOther Well-Known Services", RFC 5031, January 2008. [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", STD 68, RFC 5234, January 2008. Appendix A. Alternative Solutions Considered In an attempt tobe interpreted as described in [RFC2119]. Emergency services related terminology is borrowed from [RFC5012]. 3. Architecture Section 4 describes howdescribe the problem and tomark a call as a callback. However,explore solution approaches thepure emergency service callback marking is insufficient since it lacks any built-in security mechanism. Fortunately, available SIP security techniquesworking group had also investigated alternative approaches. We document them here forthe purpose of authorization can be re-used, as describedcompleteness. The solutions fall into three categories: (1) Identity-based authorization, (2) Trait-based authorization, and (3) Call Marking. Even though these solutions are not mutually exclusive we describe them inthe restseparate sub-sections. Beyond the disadvantages listed in each solution category none of them provides thesection.emergency caller with the ability to restrict preferential PSAP callback handling to those cases where an earlier emergency call was initiated. A.1. Identity-based Authorization In Figure 6 an interaction is presented that allows a SIP entity to make a policy decision whether to bypass installed authorization policies and thereby providing preferential treatment. To make this decision the sender's identity is compared with a whitelist of valid PSAPs. The identity assurances in SIP can come in different forms, such as SIP Identity [RFC4474] or with P-Asserted-Identity [RFC3325]. The former technique relies on a cryptographic assurance and the latter on a chain of trust. +----------+ | List of |+ | valid || | PSAP ids || +----------+| +----------+ * * whitelist * V Incoming +----------+ Normal SIP Msg | SIP |+ Treatment -------------->| Entity ||=============> + Identity | ||(if not in whitelist) +----------+| +----------+ || || || Preferential || Treatment ++=============> (in whitelist) Figure 6: Identity-based AuthorizationTheThis approach was not chosen because the establishment of a whitelistwithcontaining PSAP identities is operationally complex and does not easily scale world wide.WhenOnly when there is a local relationship between the VSP/ASP and the PSAP then populating the whitelist is far simpler. This would, however, constrain the applicability of the mechanism considerably. A.2. Trait-based Authorization An alternative approach to an identity based authorization model is outlined in Figure 7. In fact, RFC 4484 [RFC4484]already illustrated the basic requirements for this technique.illustrates a related emergency service use case. +----------+ | List of |+ | trust || | anchor || +----------+| +----------+ * * * V Incoming +----------+ Normal SIP Msg | SIP |+ Treatment -------------->| Entity ||=============> + trait | ||(no indication +----------+| of PSAP) +----------+ || || || Preferential || Treatment ++=============> (indicated as PSAP) Figure 7: Trait-based Authorization In a trait-based authorization scenario an incoming SIP message contains a form of trait, i.e. some form of assertion. The assertion contains an indication that the sending party has the role of a PSAP (or similar emergency services entity). The assertion is either cryptographically protected to enable end-to-end verification or an chain of trust security model has to be assumed. In Figure 7 we assume an end-to-end security model where trust anchors are provisioned to ensure the ability for a SIP entity to verify the received assertion.4. Callback Marking The callback marking is represented as URI parameter for an URI scheme. The ABNF [RFC5234] syntax is shown below. 4.1. Tel URI The 'par' production is defined in RFC 3966 [RFC3966]. The "/=" syntax indicates an extension of the production on the left-hand side: par /= callback callback = callback-tag "=" callback-value callback-tag = "callback" callback-value = "normal" / "test" / The semantics of the callback values are described below: normal: This represents an normal PSAP callback. test: This is a test callback. An example of the "callback" parameter is given below: P-Asserted-Identity: <tel:+17005554141;callback=test> 4.2. SIP URI The 'uri-parameter' production is defined in RFC 3966 [RFC3261]. The "/=" syntax indicates an extension of the production on the left-hand side: uri-parameter =/ callback callback = callback-tag "=" callback-value callback-tag = "callback" callback-value = "normal" / "test" / The semantics of the callback values are described below: normal: This represents an normal PSAP callback. test: This is a test callback. An example of the "callback" parameter is given below: P-Asserted-Identity: <sip:psap@example.com;callback=normal> 5. Security ConsiderationsThisdocument defines a callback marking scheme using URI parameters and illustrates how to handlesolution was not chosen because trait-based authorizationfor preferential treatment. The URI parameter that is included for a URI MUST be usednever got deployed inconcert with either the PAI [RFC3325] or the SIP Identity [RFC4474] header. A pure From header does not provide security assurance that the calling party is indeed a PSAP. An important aspect from a security point of view is the relationship between the emergency services network and the VSP (assumingSIP. Furthermore, in order to ensure that theemergency call travels via the VSP and not directly between the SIP UA and the PSAP). If there is some form of relationship between the emergency services operator and the VSP then the identification of a PSAP call backassertions are properly protected it isless problematic than in the case where the two entities have not entered innecessary to digitally sign, which requires some form ofrelationship that would allow the VSP to verify whether the marked callback message indeed came from a legitimate source. The main attack surface can be seen in thepublic key infrastructure for usageof PSAP callback marking to bypass blacklists, ignore call forwarding procedures and similar features to interactwithusers andemergency services. Finally, there need toget their attention. For example, using PSAP callback marking devices wouldbeable to recognize these types of incoming messages leading to the device overriding user interface configurations, such as vibrate-only mode. As such, the requirement is to ensure that the mechanisms describedsome policies inthis document can not be used for malicious purposes, including SPIT. A SIP entity MAY treat the call as a normal incoming call if it considers the request with the included URI parameterplace that define which entities are allowed tobe fraudulent, i.e. if it doesobtain various roles. These policies and procedures do notrecognize the originator, or the domain from whereexist today. A.3. Call Marking Call marking allows thecall originated from as being trusted/owned by a PSAP. It is NOT RECOMMENDEDPSAP todropplace acallnon-cryptographic label on outgoing calls thatis marked as PSAP callback in suchgives, when received by acase since this may severely impact the ability for calltakers at PSAPs to contact emergency callers. 6. IANA Considerations This document extends the registry of URI parameters for SIP, as defined in RFC 3969 [RFC3969]. A newSIPURI parameter is defined in this document as follows: Parameter Name: callback Predefined Values: Yes Reference: This document This document extends the registry of Tel URI parametersentity, preferential treatment forSIP, as defined in RFC 5341[RFC5341]. A new Tel URI parameter is definedthese callbacks. When used in isolation thisdocument as follows: Parameter Name: callback Predefined Values: Yes Reference: This document 7. Acknowledgements We would like to thank members from the ECRIT working group, in particular Brian Rosen, for their discussions around PSAP callbacks. The working group discussed the topicmechanism introduces considerable denial ofcallbacks at their virtual interim meeting in February 2010 andservice attacks due to thefollowing persons provided valuable input: John Elwell, Bernard Aboba, Cullen Jennings, Keith Drage, Marc Linsner, Roger Marshall, Dan Romascanu, Geoff Thompson, Janet Gunn. 8. References 8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCsability toIndicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, June 2002. [RFC3325] Jennings, C., Peterson, J.,bypass any authorization policies andM. Watson, "Private Extensionscould be utilized tothe Session Initiation Protocol (SIP) for Asserted Identity within Trusted Networks", RFC 3325, November 2002. [RFC3966] Schulzrinne, H., "The tel URI for Telephone Numbers", RFC 3966, December 2004. [RFC3969] Camarillo, G., "The Internet Assigned Number Authority (IANA) Uniform Resource Identifier (URI) Parameter Registry for the Session Initiation Protocol (SIP)", BCP 99, RFC 3969, December 2004. [RFC4474] Peterson, J. and C. Jennings, "Enhancements for Authenticated Identity Management in the Session Initiation Protocol (SIP)", RFC 4474, August 2006. [RFC5341] Jennings, C. and V. Gurbani, "The Internet Assigned Number Authority (IANA) tel Uniform Resource Identifier (URI) Parameter Registry", September 2008. 8.2. Informative References [I-D.ietf-ecrit-framework] Rosen, B., Schulzrinne, H., Polk, J., and A. Newton, "Framework for Emergency Calling using Internet Multimedia", draft-ietf-ecrit-framework-12 (work in progress), October 2010. [I-D.ietf-sip-saml] Tschofenig, H., Hodges, J., Peterson, J., Polk, J., and D. Sicker, "SIP SAML Profile and Binding", draft-ietf-sip-saml-08 (work in progress), October 2010. [RFC4484] Peterson, J., Polk, J., Sicker, D., and H. Tschofenig, "Trait-Based Authorization Requirements for the Session Initiation Protocol (SIP)", RFC 4484, August 2006. [RFC5012] Schulzrinne, H. and R. Marshall, "Requirements for Emergency Context Resolution with Internet Technologies", RFC 5012, January 2008. [RFC5031] Schulzrinne, H., "A Uniform Resource Name (URN) for Emergency and Other Well-Known Services", RFC 5031, January 2008. [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", STD 68, RFC 5234, January 2008.distribute unwanted traffic. Authors' Addresses Henning Schulzrinne Columbia University Department of Computer Science 450 Computer Science Building New York, NY 10027 US Phone: +1 212 939 7004Email:EMail: hgs+ecrit@cs.columbia.edu URI: http://www.cs.columbia.edu Hannes Tschofenig Nokia Siemens Networks Linnoitustie 6 Espoo 02600 Finland Phone: +358 (50) 4871445Email:EMail: Hannes.Tschofenig@gmx.net URI: http://www.tschofenig.priv.at Christer Holmberg Ericsson Hirsalantie 11 Jorvas 02420 Finland EMail: christer.holmberg@ericsson.com Milan Patel InterDigital CommunicationsEmail:EMail: Milan.Patel@interdigital.com