< draft-schulzrinne-ecrit-psap-callback-00.txt   draft-schulzrinne-ecrit-psap-callback-01.txt >
ECRIT H. Schulzrinne ECRIT H. Schulzrinne
Internet-Draft Columbia University Internet-Draft Columbia University
Intended status: Informational H. Tschofenig Intended status: Informational H. Tschofenig
Expires: September 4, 2009 Nokia Siemens Networks Expires: April 29, 2010 Nokia Siemens Networks
March 3, 2009 M. Patel
Nortel
October 26, 2009
Marking of Calls initiated by Public Safety Answering Points (PSAPs) Public Safety Answering Point (PSAP) Callbacks
draft-schulzrinne-ecrit-psap-callback-00.txt draft-schulzrinne-ecrit-psap-callback-01.txt
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 33 skipping to change at page 1, line 35
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 4, 2009. This Internet-Draft will expire on April 29, 2010.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info). publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. and restrictions with respect to this document.
Abstract Abstract
After an emerency call is completed it is possible that the need for After an emergency call is completed (either prematurely terminated
further communication between the call-taker and the emergency caller by the emergency caller or normally by the call-taker) it is possible
arises. For example, further assistance may be needed but the that the call-taker feels the need for further communication or for a
communication previously got interrupted. A call-taker may trigger a clarification. For example, the call may have been dropped by
callback towards the emergency caller using the contact information accident without the call-taker having sufficient information about
provided with the initial emergency call. This callback would then the current situation of a wounded person. A call-taker may trigger
be treated like any other call. As a consequence, it may get blocked a callback towards the emergency caller using the contact information
by authorization policies configured by the person seeking help or provided with the initial emergency call. This callback could, under
may get forwarded to his answering machine. certain circumstances, then be treated like any other call and as a
consequence, it may get blocked by authorization policies or may get
forwarded to an answering machine.
The current ECRIT framework document addresses callbacks in a limited The IETF emergency services architecture addresses callbacks in a
fashion and thereby covers a few scenarios. This document discusses limited fashion and thereby covers a couple of scenarios. This
shortcomings and raises the question whether additional solution document discusses some shortcomings and raises the question whether
techniques are needed. additional solution techniques are needed.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Multi-Stage Resolution . . . . . . . . . . . . . . . . . . 4 1.1. Multi-Stage Resolution . . . . . . . . . . . . . . . . . . 4
1.2. Call Forwarding . . . . . . . . . . . . . . . . . . . . . 6 1.2. Call Forwarding . . . . . . . . . . . . . . . . . . . . . 6
1.3. PSTN Interworking . . . . . . . . . . . . . . . . . . . . 8 1.3. PSTN Interworking . . . . . . . . . . . . . . . . . . . . 8
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 9 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 9
3. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 10 3. Requirements and Design Approaches . . . . . . . . . . . . . . 10
4. Solution Approaches . . . . . . . . . . . . . . . . . . . . . 11 4. Solution Approaches . . . . . . . . . . . . . . . . . . . . . 12
5. Security Considerations . . . . . . . . . . . . . . . . . . . 12 5. Security Considerations . . . . . . . . . . . . . . . . . . . 14
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 15
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16
7.1. Informative References . . . . . . . . . . . . . . . . . . 14 7.1. Informative References . . . . . . . . . . . . . . . . . . 16
7.2. Informative References . . . . . . . . . . . . . . . . . . 14 7.2. Informative References . . . . . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 18
1. Introduction 1. Introduction
Summoning police, the fire department or an ambulance in emergencies Summoning police, the fire department or an ambulance in emergencies
is one of the fundamental and most-valued functions of the telephone. is one of the fundamental and most-valued functions of the telephone.
As telephone functionality moves from circuit-switched telephony to As telephone functionality moves from circuit-switched telephony to
Internet telephony, its users rightfully expect that this core Internet telephony, its users rightfully expect that this core
functionality will continue to work at least as well as it has for functionality will continue to work at least as well as it has for
the legacy technology. New devices and services are being made the legacy technology. New devices and services are being made
available that could be used to make a request for help, which are available that could be used to make a request for help, which are
not traditional telephones, and users are increasingly expecting them not traditional telephones, and users are increasingly expecting them
to be used to place emergency calls. to be used to place emergency calls.
Regulatory requirements demand that the emergency call itself Regulatory requirements demand that the emergency call itself
provides enough information to allow the call-taker to initiate a provides enough information to allow the call-taker to initiate a
call back to the emergency caller in case the call dropped or to call back to the emergency caller in case the call dropped or to
interact with the emergency caller later in case of questions. Such interact with the emergency caller in case of further questions.
a call, referred as PSAP callback subsequently in this document, may, Such a call, referred as PSAP callback subsequently in this document,
however, be blocked or forwarded to an answering machine as SIP may, however, be blocked or forwarded to an answering machine as SIP
entities (SIP proxies as well as the SIP UA itself) cannot associate entities (SIP proxies as well as the SIP UA itself) cannot associate
the potential importantance of the call based on the SIP signaling. the potential importantance of the call based on the SIP signaling.
Note that the authors are, however, not aware of regulatory Note that the authors are, however, not aware of regulatory
requirements for providing preferential treatment of callbacks requirements for providing preferential treatment of callbacks
initiated by the call-taker at the PSAP towards the emergency initiated by the call-taker at the PSAP towards the emergency
caller nor that these calls have to be treated in any form caller.
differently from any other call.
Section 10 of [I-D.ietf-ecrit-framework] discusses the identifiers Section 10 of [I-D.ietf-ecrit-framework] discusses the identifiers
required for callbacks. Section 13 of [I-D.ietf-ecrit-framework] required for callbacks, namely AOR URI and a globally routable URI in
provides the following guidance regarding callback handling: a Contact: header. Section 13 of [I-D.ietf-ecrit-framework] provides
the following guidance regarding callback handling:
A UA may be able to determine a PSAP call back by examining the A UA may be able to determine a PSAP call back by examining the
domain of incoming calls after placing an emergency call and domain of incoming calls after placing an emergency call and
comparing that to the domain of the answering PSAP from the comparing that to the domain of the answering PSAP from the
emergency call. Any call from the same domain and directed to the emergency call. Any call from the same domain and directed to the
supplied Contact header or AoR after an emergency call should be supplied Contact header or AoR after an emergency call should be
accepted as a call-back from the PSAP if it occurs within a accepted as a call-back from the PSAP if it occurs within a
reasonable time after an emergency call was placed. reasonable time after an emergency call was placed.
This approach mimics a stateful packet filtering firewall and is This approach mimics a stateful packet filtering firewall and is
indeed helpful in a number of cases but it may fail in others. indeed helpful in a number of cases. Below, we discuss a few cases
Below, we discuss a few cases where this approach fails. where this approach fails.
1.1. Multi-Stage Resolution 1.1. Multi-Stage Resolution
Consider the following emergency call routing scenario shown in Consider the following emergency call routing scenario shown in
Figure 1 where routing towards the PSAP occurs in several stages. An Figure 1 where routing towards the PSAP occurs in several stages. An
emergency call uses a SIP UA that does not run LoST on the end point. emergency call uses a SIP UA that does not run LoST on the end point.
Hence, the call is marked with the 'urn:service:sos' Service URN Hence, the call is marked with the 'urn:service:sos' Service URN
[RFC5031]. The user's VoIP provider receives the emergency call and [RFC5031]. The user's VoIP provider receives the emergency call and
determines where to route it. Local configuration or a LoST lookup determines where to route it. Local configuration or a LoST lookup
skipping to change at page 10, line 5 skipping to change at page 10, line 5
Figure 3: PSTN Interworking Figure 3: PSTN Interworking
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
Emergency services related terminology is borrowed from [RFC5012]. Emergency services related terminology is borrowed from [RFC5012].
3. Requirements 3. Requirements and Design Approaches
From the previously presented scenarios, the following generic From the previously presented scenarios, the following generic
requirements can be crafted: requirements can be crafted:
Reliable Identification:
The solution approach MUST offer a way to reliable detect a PSAP
callback in light of the challenges presented in Section 1.
Resistance Against Security Vulnerabilities: Resistance Against Security Vulnerabilities:
The main possibility of attack involves use of the PSAP callback The main possibility of attack involves use of the PSAP callback
marking to bypass blacklists, ignore call forwarding procedures marking to bypass blacklists, ignore call forwarding procedures
and similar features to interact with users and to raise their and similar features to interact with users and to raise their
attention. For example, using PSAP callback marking devices would attention. For example, using PSAP callback marking devices would
be able to recognize these types of incoming messages leading to be able to recognize these types of incoming messages leading to
the device overriding user interface configurations, such as the device overriding user interface configurations, such as
vibrate-only mode. As such, the requirement is ensure that only vibrate-only mode. As such, the requirement is to ensure that the
PSAPs can issue callbacks. This may require secure identification mechanisms described in this document can not be used for
of the calling party. malicious purposes, including SPIT.
Fallback to Normal Call Fallback to Normal Call
When the newly defined extension is not recognized by When the newly defined extension is not recognized by
intermediaries or other entities then it MUST NOT lead to a intermediaries or other entities then it MUST NOT lead to a
failure of the call handling procedure but rather a fall-back to a failure of the call handling procedure but rather a fall-back to a
call that did not have any marking provided. call that did not have any marking provided.
A further differentiation has to be made with respect to relationship In addition to the high-level requirements there are a few design
between the person who previously received the emergency call and the choices.
person who triggers the callback. The choices are:
o The callback has to be made using the same UA. What is the granularity of the decision making?
o The callback has to made by the same user but potentially with a There are a few choices that impact the solution mechanism quite
different UA. considerably:
o A different user from a different UA can make the callback. * Verify that the caller is a PSAP
[Editor' Note: A requirement has to be formulated.] * Verify that the call is in response to a previous emergency
call.
4. Solution Approaches * Verify that the call is related to an emergency, but not
necessarily an earlier emergency call. This might include
public notification (authority-to-citizen).
This version of the document does not yet contain any specific Who calls back?
solution approaches. An example solution can be found in an earlier
version of [I-D.patel-ecrit-sos-parameter]. The usage of the In-
Reply-To header is another one.
Solution categories can be clustered into three areas: The relationship between the person who previously received the
emergency call and the person who triggers the callback allows a
couple of choices:
1. Verify that the caller is a PSAP * The callback has to be made using the same User Agent.
2. Verify that the call is related to an emergency, but not * The callback has to made by the same user but potentially with
necessarily an earlier emergency call. This might include public a different UA.
notification (authority-to-citizen).
3. Verify that the call is returning an earlier emergency call. * A different user from a different UA can make the callback.
These solution differ in their semantics and in the security impact 4. Solution Approaches
or user choice.
This version of the document does not yet contain a fully specified
solution description. Instead, it tries to explore the different
alternatives.
An example solution can be found in an earlier version of
[I-D.patel-ecrit-sos-parameter]. The "sos" URI parameter is appended
to the URI in the Contact header field of the INVITE request for PSAP
call-back establishment. Although this approach can distinguish the
PSAP call-back from other sessions, such a solution is prone to
security vulnerabilities since the insertion of the URI parameter
cannot verify the request was generated from a PSAP rather than a
malicious entity.
The usage of the In-Reply-To header field can provide the capability
to relate the PSAP call-back to a previously made emergency call.
The UA of the emergency caller, as well as enities within the service
provider's network can therefore infer that the request is a PSAP
callback, providing they maintained information pertaining to the
emergency call. This solution also relies on the PSAP call-back
routing over the same entities that the emergency call was routed
over if such a solution is used to provide preferential treatment of
callbacks. A solution based on the inclusion of the In-Reply-To
header would be useful in the case the network or the UA is required
to disable services or features which may prevent the callback from
reaching the UA from which the emergency call was placed.
Furthermore, it may facilitate success of the callback by removing,
for example, incoming call barring restrictions that may have been
enforced for the emergency caller's service.
To fulfill the requirements of verifying the caller is a PSAP,
mechanisms such as those described in RFC 4474 [RFC4474] or in RFC
3325 [RFC3325] are recommended to be used. Such an approach would
mitigate security vulnerabilities, but does not explicitly mark the
request generated from the PSAP as a request for callback.
Additional information, such a PSAP whitelist, would have to be
known. This is, however, only likely to work in a smaller scale
rather than world wide.
The use of the Calling Party's Category URI parameter in the
P-Asserted-Identity [RFC3325], as described in
[I-D.patel-dispatch-cpc-oli-parameter], is one method of a network
asserted identifier, describing the nature of the calling party and
in this case, the PSAP. This approach only works when the entity
that inserts the CPC parameter is trusted by those who verify it.
This relies on a circle of trust similar to the a white list.
Additionally, it has to be mentioned that unlike [I-D.ietf-sip-saml]
applying SIP Identity over the parameter does not ensure that the
authentication service indeed asserts the validity of the parameter.
5. Security Considerations 5. Security Considerations
This document provides discussions problems of PSAP callbacks and This document provides discussions problems of PSAP callbacks and
lists requirements, some of which illustrate security challenges. lists requirements, some of which illustrate security challenges.
The current version does not yet provide a specific solution but The current version does not yet provide a specific solution but
rather starts with overall architectural observations. rather starts with overall architectural observations.
An important aspect from a security point of view is the relationship An important aspect from a security point of view is the relationship
between the emergency services network and the VSP (assuming that the between the emergency services network and the VSP (assuming that the
skipping to change at page 13, line 8 skipping to change at page 15, line 8
the PSAP operator and the VSP (for example based on a peering the PSAP operator and the VSP (for example based on a peering
relationship) without any intermediate VoIP providers then the relationship) without any intermediate VoIP providers then the
identification of a PSAP call back is less problematic than in the identification of a PSAP call back is less problematic than in the
case where the two entities have not entered in some form of case where the two entities have not entered in some form of
relationship that would allow the VSP to verify whether the marked relationship that would allow the VSP to verify whether the marked
callback message indeed came from a legitimate source. callback message indeed came from a legitimate source.
6. Acknowledgements 6. Acknowledgements
We would like to thank members from the ECRIT working group, in We would like to thank members from the ECRIT working group, in
particular Brian Rosen and Milan Patel, for their discussions around particular Brian Rosen, for their discussions around PSAP callbacks.
PSAP callbacks.
7. References 7. References
7.1. Informative References 7.1. Informative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
7.2. Informative References 7.2. Informative References
[I-D.ietf-ecrit-framework] [I-D.ietf-ecrit-framework]
Rosen, B., Schulzrinne, H., Polk, J., and A. Newton, Rosen, B., Schulzrinne, H., Polk, J., and A. Newton,
"Framework for Emergency Calling using Internet "Framework for Emergency Calling using Internet
Multimedia", draft-ietf-ecrit-framework-08 (work in Multimedia", draft-ietf-ecrit-framework-10 (work in
progress), February 2009. progress), July 2009.
[I-D.ietf-sip-saml]
Tschofenig, H., Hodges, J., Peterson, J., Polk, J., and D.
Sicker, "SIP SAML Profile and Binding",
draft-ietf-sip-saml-06 (work in progress), March 2009.
[I-D.patel-dispatch-cpc-oli-parameter]
Patel, M., Jesske, R., and M. Dolly, "Uniform Resource
Identifier (URI) Parameters for indicating the Calling
Party's Catagory and Originating Line Identity",
draft-patel-dispatch-cpc-oli-parameter-00 (work in
progress), October 2009.
[I-D.patel-ecrit-sos-parameter] [I-D.patel-ecrit-sos-parameter]
Patel, M., "SOS Uniform Resource Identifier (URI) Patel, M., "SOS Uniform Resource Identifier (URI)
Parameter for Marking of Session Initiation Protocol Parameter for Marking of Session Initiation Protocol
(SIP) Requests related to Emergency Services", (SIP) Requests related to Emergency Services",
draft-patel-ecrit-sos-parameter-03 (work in progress), draft-patel-ecrit-sos-parameter-06 (work in progress),
January 2009. May 2009.
[RFC3325] Jennings, C., Peterson, J., and M. Watson, "Private
Extensions to the Session Initiation Protocol (SIP) for
Asserted Identity within Trusted Networks", RFC 3325,
November 2002.
[RFC4474] Peterson, J. and C. Jennings, "Enhancements for
Authenticated Identity Management in the Session
Initiation Protocol (SIP)", RFC 4474, August 2006.
[RFC5012] Schulzrinne, H. and R. Marshall, "Requirements for [RFC5012] Schulzrinne, H. and R. Marshall, "Requirements for
Emergency Context Resolution with Internet Technologies", Emergency Context Resolution with Internet Technologies",
RFC 5012, January 2008. RFC 5012, January 2008.
[RFC5031] Schulzrinne, H., "A Uniform Resource Name (URN) for [RFC5031] Schulzrinne, H., "A Uniform Resource Name (URN) for
Emergency and Other Well-Known Services", RFC 5031, Emergency and Other Well-Known Services", RFC 5031,
January 2008. January 2008.
Authors' Addresses Authors' Addresses
skipping to change at line 416 skipping to change at page 18, line 27
Hannes Tschofenig Hannes Tschofenig
Nokia Siemens Networks Nokia Siemens Networks
Linnoitustie 6 Linnoitustie 6
Espoo 02600 Espoo 02600
Finland Finland
Phone: +358 (50) 4871445 Phone: +358 (50) 4871445
Email: Hannes.Tschofenig@gmx.net Email: Hannes.Tschofenig@gmx.net
URI: http://www.tschofenig.priv.at URI: http://www.tschofenig.priv.at
Milan Patel
Nortel
Maidenhead Office Park, Westacott Way
Maidenhead SL6 3QH
UK
Email: milanpa@nortel.com
 End of changes. 29 change blocks. 
71 lines changed or deleted 138 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/