< draft-ietf-drip-rid-17.txt   draft-ietf-drip-rid-18.txt >
DRIP R. Moskowitz DRIP R. Moskowitz
Internet-Draft HTT Consulting Internet-Draft HTT Consulting
Updates: 7401, 7343 (if approved) S. Card Updates: 7401, 7343 (if approved) S. Card
Intended status: Standards Track A. Wiethuechter Intended status: Standards Track A. Wiethuechter
Expires: 20 September 2022 AX Enterprize, LLC Expires: 2 October 2022 AX Enterprize, LLC
A. Gurtov A. Gurtov
Linköping University Linköping University
19 March 2022 31 March 2022
DRIP Entity Tag (DET) for Unmanned Aircraft System Remote Identification DRIP Entity Tag (DET) for Unmanned Aircraft System Remote Identification
(UAS RID) (UAS RID)
draft-ietf-drip-rid-17 draft-ietf-drip-rid-18
Abstract Abstract
This document describes the use of Hierarchical Host Identity Tags This document describes the use of Hierarchical Host Identity Tags
(HHITs), updating both [RFC7401] and [RFC7343], as self-asserting (HHITs), updating both [RFC7401] and [RFC7343], as self-asserting
IPv6 addresses and thereby a trustable identifier for use as the IPv6 addresses and thereby a trustable identifier for use as the
Unmanned Aircraft System Remote Identification and tracking (UAS Unmanned Aircraft System Remote Identification and tracking (UAS
RID). Within the context of RID, HHITs will be called DRIP Entity RID). Within the context of RID, HHITs will be called DRIP Entity
Tags (DET). HHITs self-attest to the included explicit hierarchy Tags (DET). HHITs self-attest to the included explicit hierarchy
that provides Registrar discovery for 3rd-party identifier that provides Registrar discovery for 3rd-party identifier
skipping to change at page 1, line 42 skipping to change at page 1, line 42
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 20 September 2022. This Internet-Draft will expire on 2 October 2022.
Copyright Notice Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 2, line 46 skipping to change at page 2, line 46
4. Hierarchical HITs as Remote ID DRIP Entity Tags (DET) . . . . 14 4. Hierarchical HITs as Remote ID DRIP Entity Tags (DET) . . . . 14
4.1. Nontransferablity of DETs . . . . . . . . . . . . . . . . 15 4.1. Nontransferablity of DETs . . . . . . . . . . . . . . . . 15
4.2. Encoding HHITs in CTA 2063-A Serial Numbers . . . . . . . 15 4.2. Encoding HHITs in CTA 2063-A Serial Numbers . . . . . . . 15
4.3. Remote ID DET as one class of Hierarchical HITs . . . . . 17 4.3. Remote ID DET as one class of Hierarchical HITs . . . . . 17
4.4. Hierarchy in ORCHID Generation . . . . . . . . . . . . . 17 4.4. Hierarchy in ORCHID Generation . . . . . . . . . . . . . 17
4.5. DRIP Entity Tag (DET) Registry . . . . . . . . . . . . . 17 4.5. DRIP Entity Tag (DET) Registry . . . . . . . . . . . . . 17
4.6. Remote ID Authentication using DETs . . . . . . . . . . . 17 4.6. Remote ID Authentication using DETs . . . . . . . . . . . 17
5. DRIP Entity Tags (DETs) in DNS . . . . . . . . . . . . . . . 18 5. DRIP Entity Tags (DETs) in DNS . . . . . . . . . . . . . . . 18
6. Other UTM Uses of HHITs beyond DET . . . . . . . . . . . . . 19 6. Other UTM Uses of HHITs beyond DET . . . . . . . . . . . . . 19
7. Summary of Addressed DRIP Requirements . . . . . . . . . . . 19 7. Summary of Addressed DRIP Requirements . . . . . . . . . . . 19
8. DET Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 20 8. DET Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 19
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20
9.1. New IANA DRIP Registry . . . . . . . . . . . . . . . . . 21 9.1. New IANA DRIP Registry . . . . . . . . . . . . . . . . . 20
9.2. IANA CGA Registry Update . . . . . . . . . . . . . . . . 21 9.2. IANA CGA Registry Update . . . . . . . . . . . . . . . . 21
9.3. IANA HIP Registry Updates . . . . . . . . . . . . . . . . 22 9.3. IANA HIP Registry Updates . . . . . . . . . . . . . . . . 21
9.4. IANA IPSECKEY Registry Update . . . . . . . . . . . . . . 22 9.4. IANA IPSECKEY Registry Update . . . . . . . . . . . . . . 22
9.5. New Well-Known IPv6 prefix for DETs . . . . . . . . . . . 23 9.5. New Well-Known IPv6 prefix for DETs . . . . . . . . . . . 23
10. Security Considerations . . . . . . . . . . . . . . . . . . . 24 10. Security Considerations . . . . . . . . . . . . . . . . . . . 24
10.1. DET Trust . . . . . . . . . . . . . . . . . . . . . . . 25 10.1. DET Trust . . . . . . . . . . . . . . . . . . . . . . . 25
10.2. Collision Risks with DETs . . . . . . . . . . . . . . . 26 10.2. Collision Risks with DETs . . . . . . . . . . . . . . . 26
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 26 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 26
11.1. Normative References . . . . . . . . . . . . . . . . . . 26 11.1. Normative References . . . . . . . . . . . . . . . . . . 26
11.2. Informative References . . . . . . . . . . . . . . . . . 27 11.2. Informative References . . . . . . . . . . . . . . . . . 27
Appendix A. EU U-Space RID Privacy Considerations . . . . . . . 30 Appendix A. EU U-Space RID Privacy Considerations . . . . . . . 30
skipping to change at page 7, line 10 skipping to change at page 7, line 10
Initially, for DET use, one 28-bit prefix should be assigned out of Initially, for DET use, one 28-bit prefix should be assigned out of
the IANA IPv6 Special Purpose Address Block, namely 2001::/23, as per the IANA IPv6 Special Purpose Address Block, namely 2001::/23, as per
[RFC6890]. [RFC6890].
HHIT Use Bits Value HHIT Use Bits Value
DET 28 TBD6 (suggested value 2001:30::/28) DET 28 TBD6 (suggested value 2001:30::/28)
Other prefixes may be added in the future either for DET use or other Other prefixes may be added in the future either for DET use or other
applications of HHITs. For a prefix to be added to this registry, applications of HHITs. For a prefix to be added to this registry,
its usage and HID allocation process needs to be publically its usage and HID allocation process needs to be publicly available.
available.
3.2. HHIT Suite IDs 3.2. HHIT Suite IDs
The HHIT Suite IDs specify the HI and hash algorithms. These are a The HHIT Suite IDs specify the HI and hash algorithms. These are a
superset of the HIT Suite ID as defined in Section 5.2.10 of superset of the HIT Suite ID as defined in Section 5.2.10 of
[RFC7401]. [RFC7401].
The HHIT values of 1 - 15 map to the 4-bit HIT Suite IDs. HHIT The HHIT values of 1 - 15 map to the 4-bit HIT Suite IDs. HHIT
values of 17 - 31 map to the 8-bit HIT Suite IDs. HHIT values unique values of 17 - 31 map to the 8-bit HIT Suite IDs. HHIT values unique
to HHIT will start with value 32. to HHIT will start with value 32.
skipping to change at page 8, line 21 skipping to change at page 8, line 21
* 14-bit Hierarchical HIT Domain Authority (HDA) * 14-bit Hierarchical HIT Domain Authority (HDA)
The rationale for the 14/14 HID split is described in Appendix B. The rationale for the 14/14 HID split is described in Appendix B.
3.3.1. The Registered Assigning Authority (RAA) 3.3.1. The Registered Assigning Authority (RAA)
An RAA is a business or organization that manages a registry of HDAs. An RAA is a business or organization that manages a registry of HDAs.
For example, the Federal Aviation Authority (FAA) could be an RAA. For example, the Federal Aviation Authority (FAA) could be an RAA.
The RAA is a 14-bit field (16,384 RAAs) assigned by ICAO The RAA is a 14-bit field (16,384 RAAs) managed as described in
(International Civil Aviation Organization, a UN Agency). An RAA [drip-registries]. An RAA must provide a set of services to allocate
must provide a set of services to allocate HDAs to organizations. It HDAs to organizations. It must have a public policy on what is
must have a public policy on what is necessary to obtain an HDA. The necessary to obtain an HDA. The RAA need not maintain any HIP
RAA need not maintain any HIP related services. It must maintain a related services. It must maintain a DNS zone minimally for
DNS zone minimally for discovering HID RVS servers. discovering HID RVS servers. The zone delegation is also covered in
[drip-registries].
The ICAO registration process will be available from ICAO. Once ICAO
accepts an RAA, it will assign a number and create a zone delegation
under the uas.icao.int. DNS zone for the RAA.
As HHITs may be used in many different domains, RAA should be As HHITs may be used in many different domains, RAA should be
allocated in blocks with consideration on the likely size of a allocated in blocks with consideration on the likely size of a
particular usage. Alternatively, different prefixes can be used to particular usage. Alternatively, different prefixes can be used to
separate different domains of use of HHITs. separate different domains of use of HHITs.
This DNS zone may be a PTR for its RAA. It may be a zone in an HHIT This DNS zone may be a PTR for its RAA. It may be a zone in an HHIT
specific DNS zone. Assume that the RAA is 100. The PTR record could specific DNS zone. Assume that the RAA is 100. The PTR record could
be constructed as follows: be constructed as follows:
100.hhit.arpa IN PTR raa.bar.com. 100.hhit.arpa IN PTR raa.bar.com.
3.3.2. The Hierarchical HIT Domain Authority (HDA) 3.3.2. The Hierarchical HIT Domain Authority (HDA)
An HDA may be an ISP or any third party that takes on the business to An HDA may be an ISP, USS, or any third party that takes on the
provide RVS and other needed services such as those required for HIP- business to provide UAS services management, HIP RVS or other needed
enabled devices. services such as those required for HHIT and/or HIP-enabled devices.
The HDA is an 14-bit field (16,384 HDAs per RAA) assigned by an RAA. The HDA is a 14-bit field (16,384 HDAs per RAA) assigned by an RAA as
An HDA should maintain a set of RVS servers for UAS clients that may described in [drip-registries]. An HDA must maintain public and
use HIP. How this is done and scales to the potentially millions of private UAS registration information and should maintain a set of RVS
customers are outside the scope of this document. This service servers for UAS clients that may use HIP. How this is done and
scales to the potentially millions of customers are outside the scope
of this document, though covered in [drip-registries]. This service
should be discoverable through the DNS zone maintained by the HDA's should be discoverable through the DNS zone maintained by the HDA's
RAA. RAA.
An RAA may assign a block of values to an individual organization. An RAA may assign a block of values to an individual organization.
This is completely up to the individual RAA's published policy for This is completely up to the individual RAA's published policy for
delegation. Such policy is out of scope. delegation. Such policy is out of scope.
3.4. Edward Digital Signature Algorithm for HHITs 3.4. Edward Digital Signature Algorithm for HHITs
The Edwards-Curve Digital Signature Algorithm (EdDSA) [RFC8032] is The Edwards-Curve Digital Signature Algorithm (EdDSA) [RFC8032] is
skipping to change at page 16, line 9 skipping to change at page 16, line 9
controller) must only use "the serial number of the unmanned controller) must only use "the serial number of the unmanned
aircraft"; CTA 2063-A meets this requirement. aircraft"; CTA 2063-A meets this requirement.
Encoding an HHIT within the CTA 2063-A format is not simple. The CTA Encoding an HHIT within the CTA 2063-A format is not simple. The CTA
2063-A format is defined as: 2063-A format is defined as:
Serial Number := MFR Code | Length Code | MFR SN Serial Number := MFR Code | Length Code | MFR SN
where: where:
MFR Code : 4 character code assigned by ICAO. MFR Code : 4 character code assigned by ICAO
(International Civil Aviation Organization,
a UN Agency).
Length Code : 1 character Hex encoding of MFR SN length (1-F). Length Code : 1 character Hex encoding of MFR SN length (1-F).
MFR SN : Alphanumeric code (0-9, A-Z except O and I). MFR SN : Alphanumeric code (0-9, A-Z except O and I).
Maximum length of 15 characters. Maximum length of 15 characters.
There is no place for the HID; there will need to be a mapping There is no place for the HID; there will need to be a mapping
service from Manufacturer Code to HID. The HIT Suite ID and ORCHID service from Manufacturer Code to HID. The HHIT Suite ID and ORCHID
hash will take 14 characters (as described below), leaving 1 hash will take the full 15 characters (as described below) of the MFR
character to distinguish encoded DETs from other manufacturer use of SN field.
CTA 2063-A Serial Numbers.
A character in a CTA 2063-A Serial Number "shall include any A character in a CTA 2063-A Serial Number "shall include any
combination of digits and uppercase letters, except the letters O and combination of digits and uppercase letters, except the letters O and
I, but may include all digits". This would allow for a Base34 I, but may include all digits". This would allow for a Base34
encoding of the binary HIT Suite ID and ORCHID hash. Although, encoding of the binary HHIT Suite ID and ORCHID hash in 15
programmatically, such a conversion is not hard, other technologies characters. Although, programmatically, such a conversion is not
(e.g., credit card payment systems) that have used such odd base hard, other technologies (e.g., credit card payment systems) that
encoding have had performance challenges. Thus, here a Base32 have used such odd base encoding have had performance challenges.
encoding will be used by also excluding the letters Z and S (too Thus, here a Base32 encoding will be used by also excluding the
similar to the digits 2 and 5). letters Z and S (too similar to the digits 2 and 5).
The low-order 68 bits (HIT Suite ID | ORCHID hash) of the HHIT SHALL The low-order 72 bits (HHIT Suite ID | ORCHID hash) of the HHIT SHALL
be left-padded with 2 bits of zeros. This 70-bit number will be be left-padded with 3 bits of zeros. This 75-bit number will be
encoded into 14 characters using the digit/letters above. The encoded into the 15 character MFR SN field using the digit/letters
manufacturer MUST use a Length Code of F (15). The first character above. The manufacturer MUST use a Length Code of F (15).
after the Length Code MUST be 'Z', followed by the 14 characters of
the encoded HIT Suite ID and ORCHID hash. This construct allows the
manufacturer to construct other MFR SN of length 15 by avoiding
starting them with 'Z'.
Using the sample DET from Section 5 that is for HDA=20 under RAA=10 Using the sample DET from Section 5 that is for HDA=20 under RAA=10
and having the ICAO CTA MFR Code of 8653, the 20-character CTA 2063-A and having the ICAO CTA MFR Code of 8653, the 20-character CTA 2063-A
Serial Number would be: Serial Number would be:
8653FZ2T7B8RA85D19LX 8653F02T7B8RA85D19LX
A mapping service (e.g., DNS) MUST provide a trusted (e.g., via A mapping service (e.g., DNS) MUST provide a trusted (e.g., via
DNSSEC) conversion of the 4-character Manufacturer Code to high-order DNSSEC) conversion of the 4-character Manufacturer Code to high-order
60 bits (Prefix | HID) of the HHIT. Definition of this mapping 58 bits (Prefix | HID) of the HHIT. Definition of this mapping
service is currently out of scope of this document. service is currently out of scope of this document.
It should be noted that this encoding would only be used in the Basic It should be noted that this encoding would only be used in the Basic
ID Message. The HHIT DET will still be used in the Authentication ID Message. The HHIT DET will still be used in the Authentication
Messages. Messages.
4.3. Remote ID DET as one class of Hierarchical HITs 4.3. Remote ID DET as one class of Hierarchical HITs
UAS Remote ID DET may be one of a number of uses of HHITs. However, UAS Remote ID DET may be one of a number of uses of HHITs. However,
it is out of the scope of the document to elaborate on other uses of it is out of the scope of the document to elaborate on other uses of
skipping to change at page 19, line 16 skipping to change at page 19, line 9
and dynamic (e.g., new DETs every minute for some HDAs) to store in a and dynamic (e.g., new DETs every minute for some HDAs) to store in a
signed, DNS zone. The HDA SHOULD provide DNS service for its zone signed, DNS zone. The HDA SHOULD provide DNS service for its zone
and provide the HHIT detail response. A secure connection (e.g., DNS and provide the HHIT detail response. A secure connection (e.g., DNS
over TLS) to the authoritative zone may be a viable alternative to over TLS) to the authoritative zone may be a viable alternative to
DNSSEC. DNSSEC.
The DET reverse lookup can be a standard IPv6 reverse look up, or it The DET reverse lookup can be a standard IPv6 reverse look up, or it
can leverage off the HHIT structure. If we assume a prefix of can leverage off the HHIT structure. If we assume a prefix of
2001:30::/28, the RAA is 10 and the HDA is 20, the DET is: 2001:30::/28, the RAA is 10 and the HDA is 20, the DET is:
2001:30:a0:145:a3ad:1952:ad0:a69e 2001:30:280:1405:a3ad:1952:ad0:a69e
A DET reverse lookup could be to: A DET reverse lookup could be to:
a69e.ad0.1952.a3ad.145.a0.30.2001.20.10.det.arpa. a69e.ad0.1952.a3ad.1405.280.30.2001.20.10.det.arpa.
or: or:
a3ad1952ad0a69e.5.20.10.30.2001.det.remoteid.icao.int. a3ad1952ad0a69e.5.20.10.30.2001.det.remoteid.icao.int.
A 'standard' ip6.arpa RR has the advantage of only one Registry A 'standard' ip6.arpa RR has the advantage of only one Registry
service supported. service supported.
$ORIGIN 5.4.1.0.0.a.0.0.0.3.0.0.1.0.0.2.ip6.arpa. $ORIGIN 5.0.4.1.0.8.2.0.0.3.0.0.1.0.0.2.ip6.arpa.
e.9.6.a.0.d.a.0.2.5.9.1.d.a.3.a IN PTR e.9.6.a.0.d.a.0.2.5.9.1.d.a.3.a IN PTR
6. Other UTM Uses of HHITs beyond DET 6. Other UTM Uses of HHITs beyond DET
HHITs might be used within the UTM architecture beyond DET (and USS HHITs might be used within the UTM architecture beyond DET (and USS
in UA ID registration and authentication), for example, as a GCS HHIT in UA ID registration and authentication), for example, as a GCS HHIT
ID. The GCS may use its HIIT if it is the source of Network Remote ID. The GCS may use its HIIT if it is the source of Network Remote
ID for securing the transport and for secure C2 transport (e.g., ID for securing the transport and for secure C2 transport (e.g.,
[drip-secure-nrid-c2]). [drip-secure-nrid-c2]).
skipping to change at page 28, line 26 skipping to change at page 28, line 26
[drip-authentication] [drip-authentication]
Wiethuechter, A., Card, S., and R. Moskowitz, "DRIP Wiethuechter, A., Card, S., and R. Moskowitz, "DRIP
Authentication Formats & Protocols for Broadcast Remote Authentication Formats & Protocols for Broadcast Remote
ID", Work in Progress, Internet-Draft, draft-ietf-drip- ID", Work in Progress, Internet-Draft, draft-ietf-drip-
auth-05, 7 March 2022, auth-05, 7 March 2022,
<https://datatracker.ietf.org/doc/html/draft-ietf-drip- <https://datatracker.ietf.org/doc/html/draft-ietf-drip-
auth-05>. auth-05>.
[drip-registries] [drip-registries]
Wiethuechter, A., Card, S., and R. Moskowitz, "DRIP Wiethuechter, A., Card, S., Moskowitz, R., and J. Reid,
Registries", Work in Progress, Internet-Draft, draft- "DRIP Registries", Work in Progress, Internet-Draft,
wiethuechter-drip-registries-01, 22 October 2021, draft-ietf-drip-registries-01, 7 March 2022,
<https://datatracker.ietf.org/doc/html/draft-wiethuechter- <https://datatracker.ietf.org/doc/html/draft-ietf-drip-
drip-registries-01>. registries-01>.
[drip-secure-nrid-c2] [drip-secure-nrid-c2]
Moskowitz, R., Card, S. W., Wiethuechter, A., and A. Moskowitz, R., Card, S. W., Wiethuechter, A., and A.
Gurtov, "Secure UAS Network RID and C2 Transport", Work in Gurtov, "Secure UAS Network RID and C2 Transport", Work in
Progress, Internet-Draft, draft-moskowitz-drip-secure- Progress, Internet-Draft, draft-moskowitz-drip-secure-
nrid-c2-04, 21 October 2021, nrid-c2-04, 21 October 2021,
<https://datatracker.ietf.org/doc/html/draft-moskowitz- <https://datatracker.ietf.org/doc/html/draft-moskowitz-
drip-secure-nrid-c2-04>. drip-secure-nrid-c2-04>.
[F3411] ASTM International, "Standard Specification for Remote ID [F3411] ASTM International, "Standard Specification for Remote ID
 End of changes. 23 change blocks. 
58 lines changed or deleted 53 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/