< draft-ietf-ecrit-trustworthy-location-06.txt		draft-ietf-ecrit-trustworthy-location-07.txt >
	ECRIT Working Group H. Tschofenig		ECRIT Working Group H. Tschofenig
	INTERNET-DRAFT Nokia Siemens Networks		INTERNET-DRAFT Nokia Siemens Networks
	Category: Informational H. Schulzrinne		Category: Informational H. Schulzrinne
	Expires: January 14, 2014 Columbia University		Expires: February 14, 2014 Columbia University
	B. Aboba (ed.)		B. Aboba (ed.)
	Skype		Skype
	15 July 2013		30 July 2013
	Trustworthy Location		Trustworthy Location
	draft-ietf-ecrit-trustworthy-location-06.txt		draft-ietf-ecrit-trustworthy-location-07.txt
	Abstract		Abstract
	For some location-based applications, such as emergency calling or		For some location-based applications, such as emergency calling or
	roadside assistance, the trustworthiness of location information is		roadside assistance, the trustworthiness of location information is
	critically important.		critically important.
	This document describes how to convey location in a manner that is		This document describes how to convey location in a manner that is
	inherently secure and reliable. It also provides guidelines for		inherently secure and reliable. It also provides guidelines for
	assessing the trustworthiness of location information.		assessing the trustworthiness of location information.
	skipping to change at page 1, line 39 ¶		skipping to change at page 1, line 39 ¶
	Internet-Drafts are working documents of the Internet Engineering		Internet-Drafts are working documents of the Internet Engineering
	Task Force (IETF). Note that other groups may also distribute		Task Force (IETF). Note that other groups may also distribute
	working documents as Internet-Drafts. The list of current Internet-		working documents as Internet-Drafts. The list of current Internet-
	Drafts is at http://datatracker.ietf.org/drafts/current/.		Drafts is at http://datatracker.ietf.org/drafts/current/.
	Internet-Drafts are draft documents valid for a maximum of six months		Internet-Drafts are draft documents valid for a maximum of six months
	and may be updated, replaced, or obsoleted by other documents at any		and may be updated, replaced, or obsoleted by other documents at any
	time. It is inappropriate to use Internet-Drafts as reference		time. It is inappropriate to use Internet-Drafts as reference
	material or to cite them other than as "work in progress."		material or to cite them other than as "work in progress."
	This Internet-Draft will expire on January 14, 2014.		This Internet-Draft will expire on February 14, 2014.
	Copyright Notice		Copyright Notice
	Copyright (c) 2013 IETF Trust and the persons identified as the		Copyright (c) 2013 IETF Trust and the persons identified as the
	document authors. All rights reserved.		document authors. All rights reserved.
	This document is subject to BCP 78 and the IETF Trust's Legal		This document is subject to BCP 78 and the IETF Trust's Legal
	Provisions Relating to IETF Documents		Provisions Relating to IETF Documents
	(http://trustee.ietf.org/license-info) in effect on the date of		(http://trustee.ietf.org/license-info) in effect on the date of
	publication of this document. Please review these documents		publication of this document. Please review these documents
	skipping to change at page 4, line 49 ¶		skipping to change at page 4, line 49 ¶
	for a Location-by-Reference Mechanism" [RFC5808].		for a Location-by-Reference Mechanism" [RFC5808].
	"Trustworthy Location" is defined as location information that can be		"Trustworthy Location" is defined as location information that can be
	attributed to a trusted source, has been protected against		attributed to a trusted source, has been protected against
	modification in transmit, and has been assessed as trustworthy.		modification in transmit, and has been assessed as trustworthy.
	"Location Trust Assessment" refers to the process by which the		"Location Trust Assessment" refers to the process by which the
	reliability of location information can be assessed. This topic is		reliability of location information can be assessed. This topic is
	discussed in Section 4.		discussed in Section 4.
	[I.D.thomson-geopriv-location-dependability] Section 2 defines		The following additional terms apply to location spoofing:
	terminology relating to location fabrication:
	Place Shifting: In place shifting, an attacker selects any location
	(presumably somewhere other than where they are currently located)
	and constructs a PIDF-LO based on that information.
	Time Shifting: In a time shifting, or replay, attack the attacker		"Place Shifting" is where the attacker constructs a PIDF-LO for a
	uses location information that was valid in the past, but is no		location other than where they are currently located. In some cases,
	longer valid because the attacker has moved since the location was		place shifting can be limited in range (e.g., within the coverage
	generated.		area of a particular cell tower).
	Location Theft: An attacker that is able to observe the Target's		"Time Shifting" is where the attacker uses or re-uses location
	location information can replay this information and thereby		information that was valid in the past, but is no longer valid
	appear to be at the same location.		because the attacker has moved.
	Location Swapping: Two colluding attackers can conspire to fake		"Location Theft" is where the attacker captures a Target's location
	location by exchanging location information. One attacker can		information and presents it as their own. Location theft can occur
	pretend to be at the other's location.		on a one-off basis, or may be continuous (e.g., where the attacker
			has gained control over the victim's device). Location theft may
			also be combined with time shifting to present someone else's
			location information after the original Target has moved. Where the
			Target and attacker collude, the term "location swapping" is used.
	2. Threats		2. Threats
	While previous IETF documents have analyzed aspects of the security		While previous IETF documents have analyzed aspects of the security
	of emergency services or threats to geographic location privacy,		of emergency services or threats to geographic location privacy,
	those documents do not cover the threats arising from unreliable		those documents do not cover the threats arising from unreliable
	location information.		location information.
	A threat analysis of the emergency services system is provided in		A threat analysis of the emergency services system is provided in
	"Security Threats and Requirements for Emergency Call Marking and		"Security Threats and Requirements for Emergency Call Marking and
	skipping to change at page 6, line 51 ¶		skipping to change at page 6, line 50 ¶
	several avenues are available to provide false location information:		several avenues are available to provide false location information:
	1. The end host could fabricate a PIDF-LO and convey it within an		1. The end host could fabricate a PIDF-LO and convey it within an
	emergency call;		emergency call;
	2. The VSP (and indirectly a LIS) could be fooled into using the		2. The VSP (and indirectly a LIS) could be fooled into using the
	wrong identity (such as an IP address) for location lookup,		wrong identity (such as an IP address) for location lookup,
	thereby providing the end host with misleading location		thereby providing the end host with misleading location
	information;		information;
	3. Inaccurate or out-of-date information (such spoofed GPS		3. Inaccurate or out-of-date information (such as spoofed GPS
	signals, a stale wiremap or an inaccurate access point location		signals, a stale wiremap or an inaccurate access point location
	database) could be utilized by the LIS or the end host in its		database) could be utilized by the LIS or the end host in its
	location determination, thereby leading to an inaccurate		location determination, thereby leading to an inaccurate
	determination of location.		determination of location.
	The following represent examples of location forging threats:		The following represent examples of location spoofing:
	Place shifting: Trudy, the adversary, pretends to be at an arbitrary		Place shifting: Trudy, the adversary, pretends to be at an
	location. In some cases, place shifting can be limited in range,		arbitrary location.
	e.g., to the coverage area of a particular cell tower.
	Time shifting: Trudy pretends to be at a location she was a while		Time shifting: Trudy pretends to be at a location she was a
	ago.		while ago.
	Location theft: Trudy observes Alice's location and replays it as		Location theft: Trudy observes Alice's location and replays
	her own.		it as her own.
	Location swapping: Trudy and Malory, located in different locations,		Location swapping: Trudy and Malory collude and swap location
	can collude and swap location information and pretend to be in		information, pretending to be in each other's location.
	each other's location.
	2.2. Identity Spoofing		2.2. Identity Spoofing
	With calls originating on an IP network, at least two forms of		With calls originating on an IP network, at least two forms of
	identity are relevant, with the distinction created by the split		identity are relevant, with the distinction created by the split
	between the AIP and the VSP:		between the AIP and the VSP:
	(a) network access identity such as might be determined via		(a) network access identity such as might be determined via
	authentication (e.g., using the Extensible Authentication Protocol		authentication (e.g., using the Extensible Authentication Protocol
	(EAP) [RFC3748]);		(EAP) [RFC3748]);
End of changes. 14 change blocks.
	32 lines changed or deleted		29 lines changed or added
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/