| < draft-ietf-stir-rph-emergency-services-05.txt | draft-ietf-stir-rph-emergency-services-07.txt > | |||
|---|---|---|---|---|
| STIR M. Dolly | STIR M. Dolly | |||
| Internet-Draft AT&T | Internet-Draft AT&T | |||
| Intended status: Standards Track C. Wendt | Intended status: Standards Track C. Wendt | |||
| Expires: July 29, 2021 Comcast | Expires: September 12, 2021 Comcast | |||
| January 25, 2021 | March 11, 2021 | |||
| Assertion Values for a Resource Priority Header Claim and a SIP Priority | Assertion Values for a Resource Priority Header Claim and a SIP Priority | |||
| Header Claim in Support of Emergency Services Networks | Header Claim in Support of Emergency Services Networks | |||
| draft-ietf-stir-rph-emergency-services-05 | draft-ietf-stir-rph-emergency-services-07 | |||
| Abstract | Abstract | |||
| This document adds new assertion values for a Resource Priority | This document adds new assertion values for a Resource Priority | |||
| Header ("rph") claim and a new SIP Priority Header claim ("sph") for | Header ("rph") claim and a new SIP Priority Header claim ("sph") for | |||
| protection of the "psap-callback" value as part of the "rph" PASSporT | protection of the "psap-callback" value as part of the "rph" PASSporT | |||
| extension, in support of the security of Emergency Services Networks | extension, in support of the security of Emergency Services Networks | |||
| for emergency call origination and callback. | for emergency call origination and callback. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 36 ¶ | skipping to change at page 1, line 36 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on July 29, 2021. | This Internet-Draft will expire on September 12, 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 3, line 11 ¶ | skipping to change at page 3, line 11 ¶ | |||
| signing party authorization. A signed SIP "Resource-Priority" or | signing party authorization. A signed SIP "Resource-Priority" or | |||
| "Priority" header field will allow a receiving entity (including | "Priority" header field will allow a receiving entity (including | |||
| entities located in different network domains/boundaries) to verify | entities located in different network domains/boundaries) to verify | |||
| the validity of assertions to act on the information with confidence | the validity of assertions to act on the information with confidence | |||
| that the information has not been spoofed or compromised. | that the information has not been spoofed or compromised. | |||
| This document adds new "auth" array key values for a Resource | This document adds new "auth" array key values for a Resource | |||
| Priority Header ("rph") claim defined in [RFC8443], in support of | Priority Header ("rph") claim defined in [RFC8443], in support of | |||
| Emergency Services Networks for emergency call origination and | Emergency Services Networks for emergency call origination and | |||
| callback. This document additionally defines a new PASSporT claim, | callback. This document additionally defines a new PASSporT claim, | |||
| "sph", including protection of the SIP Priority header for the | "sph", including protection of the SIP Priority header field for the | |||
| indication of an emergency service call-back assigned the value | indication of an emergency service call-back assigned the value | |||
| "psap-callback" as defined in [RFC7090]. The use of the newly | "psap-callback" as defined in [RFC7090]. The use of the newly | |||
| defined claim and key values corresponding to the SIP 'Resource- | defined claim and key values corresponding to the SIP 'Resource- | |||
| Priority' and 'Priority' header fields for emergency services is | Priority' and 'Priority' header fields for emergency services is | |||
| introduced in [I-D.rosen-stir-emergency-calls] but otherwise out-of- | introduced in [I-D.rosen-stir-emergency-calls] but otherwise out-of- | |||
| scope of this document. In addition, the PASSPorT claims and values | scope of this document. In addition, the PASSPorT claims and values | |||
| defined in this document are intended for use in environments where | defined in this document are intended for use in environments where | |||
| there are means to verify that the signer of the SIP 'Resource- | there are means to verify that the signer of the SIP 'Resource- | |||
| Priority' and 'Priority' header fields is authoritative. | Priority' and 'Priority' header fields is authoritative. | |||
| skipping to change at page 3, line 37 ¶ | skipping to change at page 3, line 37 ¶ | |||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 3. New Assertion Values for "rph" claim | 3. New Assertion Values for "rph" claim | |||
| This specification defines the ability to sign the SIP Resource- | This specification defines the ability to sign the SIP Resource- | |||
| Priority Header field namespace for local emergency communications | Priority Header field namespace for local emergency communications | |||
| defined in [RFC7135] and represented by the string "esnet.x" where x | defined in [RFC7135] and represented by the string "esnet.x" where x | |||
| is the priority-level allowed in the esnet namespace. As of the | is the priority-level allowed in the esnet namespace. As of the | |||
| writing of this specification the priority-level is between 0 and 4, | writing of this specification the priority-level is between 0 and 4, | |||
| but may be extended by future specifications. | inclusive, but may be extended by future specifications. | |||
| Similar to the values allowed by [RFC8443] for the "auth" JSON object | Similar to the values defined by [RFC8443] for the "auth" JSON object | |||
| key inside the "rph" claim, the string "esnet.x" with the appropriate | key inside the "rph" claim, the string "esnet.x" with the appropriate | |||
| value should be used when resource priority is required for local | value should be used when resource priority is required for local | |||
| emergency communications corresponding and exactly matching the SIP | emergency communications corresponding and exactly matching the SIP | |||
| Resource-Priority header string representing the namespace invoked in | Resource-Priority header field representing the namespace invoked in | |||
| the call. | the call. | |||
| When using "esnet.x" as the "auth" assertion value in emergency | When using "esnet.x" as the "auth" assertion value in emergency | |||
| service destined calls, the "orig" claim of the PASSporT MUST | service destined calls, the "orig" claim of the PASSporT MUST | |||
| represent the calling party number that initiates the call to | represent the calling party number that initiates the call to | |||
| emergency services. The "dest" claim MUST either be a country or | emergency services. The "dest" claim MUST either be a country or | |||
| region specific dial string (e.g., "911" for North America or "112" | region specific dial string (e.g., "911" for North America or "112" | |||
| GSM defined string used in Europe and other countries) or | GSM defined string used in Europe and other countries) or | |||
| "urn:service:sos" as defined in [RFC5031], representing the emergency | "urn:service:sos" as defined in [RFC5031], representing the emergency | |||
| services destination of the call. | services destination of the call. | |||
| The following is an example of an "rph" claim for SIP 'Resource- | The following is an example of an "rph" claim for SIP 'Resource- | |||
| Priority' header field with an "esnet.1" assertion: | Priority' header field with an "esnet.1" assertion: | |||
| { | { | |||
| "orig":{"tn":"12155551212"}, | ||||
| "dest":{"uri":["urn:service:sos"]}, | "dest":{"uri":["urn:service:sos"]}, | |||
| "iat":1443208345, | "iat":1615471428, | |||
| "orig":{"tn":"12155551212"}, | ||||
| "rph":{"auth":["esnet.1"]} | "rph":{"auth":["esnet.1"]} | |||
| } | } | |||
| For emergency services callbacks, the "orig" claim of the "rph" | For emergency services callbacks, the "orig" claim of the "rph" | |||
| PASSporT MUST represent the Public Saftey Answering Point (PSAP) | PASSporT MUST represent the Public Saftey Answering Point (PSAP) | |||
| telephone number. The "dest" claim MUST be the telephone number | telephone number. The "dest" claim MUST be the telephone number | |||
| representing the original calling party of the emergency service call | representing the original calling party of the emergency service call | |||
| that is being called back. | that is being called back. | |||
| The following is an example of an "rph" claim for SIP 'Resource- | The following is an example of an "rph" claim for SIP 'Resource- | |||
| Priority' header field with a "esnet.0" assertion: | Priority' header field with a "esnet.0" assertion: | |||
| { | { | |||
| "orig":{"tn":"12155551213"}, | ||||
| "dest":{"tn":["12155551212"]}, | "dest":{"tn":["12155551212"]}, | |||
| "iat":1443208345, | "iat":1615471428, | |||
| "orig":{"tn":"12155551213"}, | ||||
| "rph":{"auth":["esnet.0"]} | "rph":{"auth":["esnet.0"]} | |||
| } | } | |||
| After the header and claims PASSporT objects have been constructed, | After the header and claims PASSporT objects have been constructed, | |||
| their signature is generated normally per the guidance in [RFC8225] | their signature is generated normally per the guidance in [RFC8225] | |||
| using the full form of PASSPorT. The credentials (i.e., Certificate) | using the full form of PASSPorT. The credentials (i.e., Certificate) | |||
| used to create the signature must have authority over the namespace | used to create the signature must have authority over the namespace | |||
| of the "rph" claim, and there is only one authority per claim. The | of the "rph" claim, and there is only one authority per claim. The | |||
| authority MUST use its credentials associated with the specific | authority MUST use its credentials associated with the specific | |||
| service supported by the resource priority namespace in the claim. | service supported by the resource priority namespace in the claim. | |||
| If r-values are added or dropped by the intermediaries along the | If r-values are added or dropped by the intermediaries along the | |||
| path, the intermediaries must generate a new "rph" header and sign | path, the intermediaries must generate a new "rph" identity header | |||
| the claim with their own authority. | and sign the claim with their own authority. | |||
| 4. The SIP Priority header "sph" claim | 4. The SIP Priority header "sph" claim | |||
| As defined in [RFC7090] the SIP Priority header may be set to the | As defined in [RFC7090] the SIP Priority header field may be set to | |||
| value "psap-callback" for emergency services callback calls. Because | the value "psap-callback" for emergency services callback calls. | |||
| some SIP networks may act on this value and provide priority or other | Because some SIP networks may act on this value and provide priority | |||
| special routing based on this value, it is important to protect and | or other special routing based on this value, it is important to | |||
| validate the authoritative use associated with it. | protect and validate the authoritative use associated with it. | |||
| Therefore, we define a new claim key as part of the "rph" PASSporT, | Therefore, we define a new claim key as part of the "rph" PASSporT, | |||
| "sph". This is an optional claim that MUST only be used only with an | "sph". This is an optional claim that MUST only be used only with an | |||
| "auth" claim with an "esnet.x" value indicating an authorized | "auth" claim with an "esnet.x" value indicating an authorized | |||
| emergency callback call and corresponding to a SIP Priority header | emergency callback call and corresponding to a SIP Priority header | |||
| with the value "psap-callback". | field with the value "psap-callback". | |||
| The value of the "sph" claim key should only be "psap-callback" which | The value of the "sph" claim key should only be "psap-callback" which | |||
| MUST match the SIP Priority header field value for authorized | MUST match the SIP Priority header field value for authorized | |||
| emergency services callbacks. If the value is anything other than | emergency services callbacks. If the value is anything other than | |||
| "psap-callback", the PASSporT validation MUST be considered a failure | "psap-callback", the PASSporT validation MUST be considered a failure | |||
| case. | case. | |||
| Note: Because the intended use of this specification is only for | Note: Because the intended use of this specification is only for | |||
| emergency services, there is also an explicit assumption that the | emergency services, there is also an explicit assumption that the | |||
| signer of the "rph" PASSporT can authoritatively represent both the | signer of the "rph" PASSporT can authoritatively represent both the | |||
| content of the Resource Priority Header and Priority Header | content of the Resource Priority Header field and Priority Header | |||
| information associated specifically with a emergency services | field information associated specifically with a emergency services | |||
| callback case where both could exist. This document is not intended | callback case where both could exist. This document is not intended | |||
| to be a general mechanism for protecting SIP Priority Header fields, | to be a general mechanism for protecting SIP Priority Header fields, | |||
| this could be accomplished as part of future work with a new PASSporT | this could be accomplished as part of future work with a new PASSporT | |||
| extension or new claim added to either an existing PASSporT or | extension or new claim added to either an existing PASSporT or | |||
| PASSporT extension usage. | PASSporT extension usage. | |||
| The following is an example of an "sph" claim for SIP 'Priority' | The following is an example of an "sph" claim for SIP 'Priority' | |||
| header field with the value "psap-callback": | header field with the value "psap-callback": | |||
| { | { | |||
| "orig":{"tn":"12155551213"}, | ||||
| "dest":{"tn":["12155551212"]}, | "dest":{"tn":["12155551212"]}, | |||
| "iat":1443208345, | "iat":1615471428, | |||
| "orig":{"tn":"12155551213"}, | ||||
| "rph":{"auth":["esnet.0"]}, | "rph":{"auth":["esnet.0"]}, | |||
| "sph":"psap-callback" | "sph":"psap-callback" | |||
| } | } | |||
| 5. Order of Claim Keys | 5. Order of Claim Keys | |||
| The order of the claim keys MUST follow the rules of [RFC8225] | The order of the claim keys MUST follow the rules of [RFC8225] | |||
| Section 9; the claim keys MUST appear in lexicographic order. | Section 9 which defines the deterministic JSON serialization used for | |||
| Therefore, the claim keys discussed in this document appear in the | signature generation (and validation); the claim keys MUST appear in | |||
| PASSporT Payload in the following order, | lexicographic order. Therefore, the claim keys discussed in this | |||
| document appear in the PASSporT Payload in the following order, | ||||
| o dest | o dest | |||
| o iat | o iat | |||
| o orig | o orig | |||
| o rph | o rph | |||
| o sph | o sph | |||
| 6. Compact Form of PASSporT | 6. Compact Form of PASSporT | |||
| The use of the compact form of PASSporT is not specified in this | The use of the compact form of PASSporT is not specified in this | |||
| document or recommended for 'rph' PASSporTs. | document or recommended for 'rph' PASSporTs. | |||
| 7. Acknowledgements | 7. Acknowledgements | |||
| The authors would like to thank Brian Rosen, Terry Reese, and Jon | The authors would like to thank Brian Rosen, Terry Reese, and Jon | |||
| skipping to change at page 6, line 33 ¶ | skipping to change at page 6, line 35 ¶ | |||
| Claim Name: "sph" | Claim Name: "sph" | |||
| Claim Description: SIP Priority header field | Claim Description: SIP Priority header field | |||
| Change Controller: IESG | Change Controller: IESG | |||
| Specification Document(s): [RFCThis] | Specification Document(s): [RFCThis] | |||
| 9. Security Considerations | 9. Security Considerations | |||
| The security considerations discussed in [RFC8224], Section 12, are | The security considerations discussed in [RFC8224], [RFC8225], and | |||
| applicable here. | [RFC8443] are applicable here. | |||
| 10. References | 10. References | |||
| 10.1. Normative References | 10.1. Normative References | |||
| [RFC4412] Schulzrinne, H. and J. Polk, "Communications Resource | [RFC4412] Schulzrinne, H. and J. Polk, "Communications Resource | |||
| Priority for the Session Initiation Protocol (SIP)", | Priority for the Session Initiation Protocol (SIP)", | |||
| RFC 4412, DOI 10.17487/RFC4412, February 2006, | RFC 4412, DOI 10.17487/RFC4412, February 2006, | |||
| <https://www.rfc-editor.org/info/rfc4412>. | <https://www.rfc-editor.org/info/rfc4412>. | |||
| End of changes. 21 change blocks. | ||||
| 30 lines changed or deleted | 31 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||