idnits 2.17.1 draft-ietf-drip-arch-11.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 212 has weird spacing: '...bserver x x...' == Line 299 has weird spacing: '...perator xxxxx...' == The document doesn't use any RFC 2119 keywords, yet has text resembling RFC 2119 boilerplate text. -- The document date (22 February 2021) is 1152 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-18) exists of draft-ietf-drip-reqs-06 == Outdated reference: A later version (-37) exists of draft-ietf-drip-rid-06 -- Obsolete informational reference (is this intentional?): RFC 7482 (Obsoleted by RFC 9082) -- Obsolete informational reference (is this intentional?): RFC 7484 (Obsoleted by RFC 9224) Summary: 1 error (**), 0 flaws (~~), 6 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 drip S. Card 3 Internet-Draft A. Wiethuechter 4 Intended status: Informational AX Enterprize 5 Expires: 26 August 2021 R. Moskowitz 6 HTT Consulting 7 S. Zhao (Editor) 8 Tencent 9 A. Gurtov 10 Linkoeping University 11 22 February 2021 13 Drone Remote Identification Protocol (DRIP) Architecture 14 draft-ietf-drip-arch-11 16 Abstract 18 This document defines an architecture for protocols and services to 19 support Unmanned Aircraft System Remote Identification and tracking 20 (UAS RID), plus RID-related communications, including required 21 architectural building blocks and their interfaces. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on 26 August 2021. 40 Copyright Notice 42 Copyright (c) 2021 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 47 license-info) in effect on the date of publication of this document. 48 Please review these documents carefully, as they describe your rights 49 and restrictions with respect to this document. Code Components 50 extracted from this document must include Simplified BSD License text 51 as described in Section 4.e of the Trust Legal Provisions and are 52 provided without warranty as described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 57 1.1. Overview UAS Remote ID (RID) and RID Standardization . . 3 58 1.2. Overview of Types of UAS Remote ID . . . . . . . . . . . 4 59 1.2.1. Broadcast RID . . . . . . . . . . . . . . . . . . . . 4 60 1.2.2. Network RID . . . . . . . . . . . . . . . . . . . . . 5 61 1.3. Overview of USS Interoperability . . . . . . . . . . . . 6 62 1.4. Overview of DRIP Architecture . . . . . . . . . . . . . . 7 63 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 9 64 3. Definitions and Abbreviations . . . . . . . . . . . . . . . . 9 65 3.1. Additional Definitions . . . . . . . . . . . . . . . . . 9 66 3.2. Abbreviations . . . . . . . . . . . . . . . . . . . . . . 9 67 3.3. Claims, Assertions, Attestations, and Certificates . . . 10 68 4. HHIT for DRIP Entity Identifier . . . . . . . . . . . . . . . 11 69 4.1. UAS Remote Identifiers Problem Space . . . . . . . . . . 11 70 4.2. HIT as A Trustworthy DRIP Entity Identifier . . . . . . . 12 71 4.3. HHIT for DRIP Identifier Registration and Lookup . . . . 12 72 4.4. HHIT for DRIP Identifier Cryptographic . . . . . . . . . 13 73 5. DRIP Identifier Registration and Registries . . . . . . . . . 14 74 5.1. Public Information Registry . . . . . . . . . . . . . . . 14 75 5.1.1. Background . . . . . . . . . . . . . . . . . . . . . 14 76 5.1.2. Proposed Approach . . . . . . . . . . . . . . . . . . 14 77 5.2. Private Information Registry . . . . . . . . . . . . . . 14 78 5.2.1. Background . . . . . . . . . . . . . . . . . . . . . 15 79 5.2.2. Proposed Approach . . . . . . . . . . . . . . . . . . 15 80 6. Harvesting Broadcast Remote ID messages for UTM Inclusion . . 15 81 6.1. The CS-RID Finder . . . . . . . . . . . . . . . . . . . . 16 82 6.2. The CS-RID SDSP . . . . . . . . . . . . . . . . . . . . . 16 83 7. Privacy for Broadcast PII . . . . . . . . . . . . . . . . . . 16 84 8. Security Considerations . . . . . . . . . . . . . . . . . . . 17 85 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 17 86 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 87 10.1. Normative References . . . . . . . . . . . . . . . . . . 17 88 10.2. Informative References . . . . . . . . . . . . . . . . . 18 89 Appendix A. Overview of Unmanned Aircraft Systems (UAS) Traffic 90 Management (UTM) . . . . . . . . . . . . . . . . . . . . 20 91 A.1. Operation Concept . . . . . . . . . . . . . . . . . . . . 20 92 A.2. UAS Service Supplier (USS) . . . . . . . . . . . . . . . 21 93 A.3. UTM Use Cases for UAS Operations . . . . . . . . . . . . 21 94 A.4. Automatic Dependent Surveillance Broadcast (ADS-B) . . . 22 95 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 97 1. Introduction 99 This document describes an architecture for protocols and services to 100 support Unmanned Aircraft System Remote Identification and tracking 101 (UAS RID), plus RID-related communications, conforming to proposed 102 and final regulations plus external technical standards, satisfying 103 the requirements listed in the companion requirements document 104 [I-D.ietf-drip-reqs]. 106 1.1. Overview UAS Remote ID (RID) and RID Standardization 108 UAS Remote Identification (RID) is an application enabler for a UAS 109 to be identified by UTM/USS or third parties entities such as law 110 enforcement. Many safety and other considerations dictate that UAS 111 be remotely identifiable. CAAs worldwide are mandating UAS RID. The 112 European Union Aviation Safety Agency (EASA) has published 113 [Delegated] and [Implementing] Regulations. 115 CAAs currently promulgate performance-based regulations that do not 116 specify techniques, but rather cite industry consensus technical 117 standards as acceptable means of compliance. 119 FAA 121 The FAA published a Notice of Proposed Rule Making [NPRM] in 2019 122 and whereafter published the Final Rule [FAA_RID] in 2021. 124 ASTM 126 ASTM International, Technical Committee F38 (UAS), Subcommittee 127 F38.02 (Aircraft Operations), Work Item WK65041, developed the 128 ASTM [F3411-19] Standard Specification for Remote ID and Tracking. 130 ASTM defines one set of RID information and two means, MAC-layer 131 broadcast and IP-layer network, of communicating it. If a UAS 132 uses both communication methods, the same information must be 133 provided via both means. The [F3411-19] is cited by FAA in its 134 RID final rule [FAA_RID] as "a potential means of compliance" to a 135 Remote ID rule. 137 3GPP 139 With release 16, 3GPP completed the UAS RID requirement study 140 [TS-22.825] and proposed use cases in the mobile network and the 141 services that can be offered based on RID. Release 17 142 specification works on enhanced UAS service requirements and 143 provides the protocol and application architecture support which 144 is applicable for both 4G and 5G network. 146 1.2. Overview of Types of UAS Remote ID 148 1.2.1. Broadcast RID 150 A set of RID messages are defined for direct, one-way, broadcast 151 transmissions from the UA over Bluetooth or Wi-Fi. These are 152 currently defined as MAC-Layer messages. Internet (or other Wide 153 Area Network) connectivity is only needed for UAS registry 154 information lookup by Observers using the locally directly received 155 UAS RID as a key. Broadcast RID should be functionally usable in 156 situations with no Internet connectivity. 158 The Broadcast RID is illustrated in Figure 1 below. 160 x x UA 161 xxxxx 162 | 163 | 164 | app messages directly over 165 | one-way RF data link (no IP) 166 | 167 | 168 + 169 x 170 xxxxx 171 x 172 x 173 x x Observer's device (e.g. smartphone) 174 x x 176 Figure 1 178 With Broadcast RID, an Observer is limited to their radio "visible" 179 airspace for UAS awareness and information. With Internet queries 180 using harvested RID (see Section 6), the Observer may gain more 181 information about those visible UAS. 183 1.2.2. Network RID 185 A RID data dictionary and data flow for Network RID are defined in 186 [F3411-19]. This data flow is from a UAS via unspecified means (but 187 at least in part over the Internet) to a Network Remote ID Service 188 Provider (Net-RID SP). These Net-RID SPs provide the RID data to 189 Network Remote ID Display Providers (Net-RID DP). It is the Net-RID 190 DP that responds to queries from Network Remote ID Observers 191 (expected typically, but not specified exclusively, to be web-based) 192 specifying airspace volumes of interest. Network RID depends upon 193 connectivity, in several segments, via the Internet, from the UAS to 194 the Observer. 196 The Network RID is illustrated in Figure 2 below: 198 x x UA 199 xxxxx ******************** 200 | \ * ------*---+------------+ 201 | \ * / * | NET_RID_SP | 202 | \ * ------------/ +---*--+------------+ 203 | RF \ */ | * 204 | * INTERNET | * +------------+ 205 | /* +---*--| NET_RID_DP | 206 | / * +---*--+------------+ 207 + / * | * 208 x / *****************|*** x 209 xxxxx | xxxxx 210 x +------- x 211 x x 212 x x Operator (GCS) Observer x x 213 x x x x 215 Figure 2 217 Command and Control (C2) must flow from the GCS to the UA via some 218 path (ex. a direct RF link, but with increasing BVLOS operations 219 expected often to be wireless links at either end with the Internet 220 between). For all but the simplest hobby aircraft, telemetry (at 221 least position and heading) flows from the UA to the GCS via some 222 path (typically the reverse of the C2 path). Thus RID information 223 pertaining to both the GCS and the UA can be sent by whichever has 224 Internet connectivity to the Net-RID SP (typically the USS managing 225 the UAS operation). The Net-RID SP forwards RID information via the 226 Internet to subscribed Net-RID DP (typically other USS). Subscribed 227 Net-RID DP forward RID information via the Internet to subscribed 228 Observer devices. Regulations require and [F3411-19] describes RID 229 data elements end-to-end. [F3411-19] prescribes the protocol only 230 among Net-RID SP, Net-RID DP, and the Discovery and Synchronization 231 Service (DSS). 233 Informative note: Neither link layer protocols nor the use of 234 links (e.g., the link often existing between the GCS and the 235 UA) for any purpose other than carriage of RID information is 236 in the scope of [F3411-19] Network RID.. 238 1.3. Overview of USS Interoperability 240 Each UAS is registered to at least one USS. With Net-RID, there is 241 direct communication between the UAS and its USS. With Broadcast- 242 RID, the UAS Operator has either pre-filed a 4D space volume for USS 243 operational knowledge and/or Observers can be providing information 244 about observed UA to a USS. USS exchange information via a Discovery 245 and Synchronization Service (DSS) so all USS collectively have 246 knowledge about all activities in a 4D airspace. 248 The interactions among Observer, UA, and USS are shown in Figure 3. 250 +----------+ 251 | Observer | 252 +----------+ 253 / \ 254 / \ 255 +-----+ +-----+ 256 | UA1 | | UA2 | 257 +-----+ +-----+ 258 \ / 259 \ / 260 +----------+ 261 | Internet | 262 +----------+ 263 / \ 264 / \ 265 +-------+ +-------+ 266 | USS-1 | <-------> | USS-2 | 267 +-------+ +-------+ 268 \ / 269 \ / 270 +------+ 271 | DSS | 272 +------+ 274 Figure 3 276 1.4. Overview of DRIP Architecture 278 The requirements document [I-D.ietf-drip-reqs] also provides an 279 extended introduction to the problem space, use cases, etc. Only a 280 brief summary of that introduction will be restated here as context, 281 with reference to the general UAS RID usage scenarios shown in 282 Figure 4 below. 284 General x x Public 285 Public xxxxx xxxxx Safety 286 Observer x x Observer 287 x x 288 x x ---------+ +---------- x x 289 x x | | x x 290 | | 291 UA1 x x | | +------------ x x UA2 292 xxxxx | | | xxxxx 293 | + + + | 294 | xxxxxxxxxx | 295 | x x | 296 +----------+x Internet x+------------+ 297 UA1 | x x | UA1 298 Pilot x | xxxxxxxxxx | x Pilot 299 Operator xxxxx + + + xxxxx Operator 300 GCS1 x | | | x GCS2 301 x | | | x 302 x x | | | x x 303 x x | | | x x 304 | | | 305 +----------+ | | | +----------+ 306 | |------+ | +-------| | 307 | Public | | | Private | 308 | Registry | +-----+ | Registry | 309 | | | DNS | | | 310 +----------+ +-----+ +----------+ 312 Figure 4 314 DRIP will enable leveraging existing Internet resources (standard 315 protocols, services, infrastructure, and business models) to meet UAS 316 RID and closely related needs. DRIP will specify how to apply IETF 317 standards, complementing [F3411-19] and other external standards, to 318 satisfy UAS RID requirements. DRIP will update existing and develop 319 new protocol standards as needed to accomplish the foregoing. 321 This document will outline the UAS RID architecture into which DRIP 322 must fit and the architecture for DRIP itself. This includes 323 presenting the gaps between the CAAs' Concepts of Operations and 324 [F3411-19] as it relates to the use of Internet technologies and UA 325 direct RF communications. Issues include, but are not limited to: 327 - Design of trustworthy remote ID and trust in RID messages 328 (Section 4) 330 - Mechanisms to leverage Domain Name System (DNS: [RFC1034]), 331 Extensible Provisioning Protocol (EPP [RFC5731]) and 332 Registration Data Access Protocol (RDAP) ([RFC7482]) to provide 333 for private (Section 5.2) and public (Section 5.1) Information 334 Registry. 336 - Harvesting broadcast remote ID messages for UTM inclusion 337 (Section 6) 339 - Privacy in RID messages (PII protection) (Section 7) 341 2. Conventions 343 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 344 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 345 "OPTIONAL" in this document are to be interpreted as described in BCP 346 14 [RFC2119] [RFC8174] when, and only when, they appear in all 347 capitals, as shown above. 349 3. Definitions and Abbreviations 351 3.1. Additional Definitions 353 This document uses terms defined in [I-D.ietf-drip-reqs]. 355 3.2. Abbreviations 357 ADS-B: Automatic Dependent Surveillance Broadcast 359 DSS: Discovery & Synchronization Service 361 EdDSA: Edwards-Curve Digital Signature Algorithm 363 GCS: Ground Control Station 365 HHIT: Hierarchical HIT Registries 367 HIP: Host Identity Protocol 369 HIT: Host Identity Tag 371 RID: Remote ID 373 Net-RID SP: Network RID Service Provider 375 Net-RID DP: Network RID Display Provider. 377 PII: Personally Identifiable Information 378 RF: Radio Frequency 380 SDSP: Supplemental Data Service Provider 382 UA: Unmanned Aircraft 384 UAS: Unmanned Aircraft System 386 USS: UAS Service Supplier 388 UTM: UAS Traffic Management 390 3.3. Claims, Assertions, Attestations, and Certificates 392 This section introduces the terms "Claims", "Assertions", 393 "Attestations", and "Certificates" as used in DRIP. 395 This is due to the term "certificate" having significant 396 technological and legal baggage associated with it, specifically 397 around X.509 certificates. These types of certificates and Public 398 Key Infrastructure invoke more legal and public policy considerations 399 than probably any other electronic communication sector. It emerged 400 as a governmental platform for trusted identity management and was 401 pursued in intergovernmental bodies with links into treaty 402 instruments. 404 Claims: 406 A claim in DRIP is a predicate (e.g., "X is Y", "X has property 407 Y", and most importantly "X owns Y" or "X is owned by Y"). One 408 basic use case of a claim is an entity using an HHIT as an 409 identifier, e.g., a UAS using an HHIT as a UAS ID. 411 Assertions: 413 An assertion in DRIP is a set of claims. This definition is 414 borrowed from JWT/CWT. An HHIT of itself can be seen as an 415 assertion: a claim that the identifier is a handle to an 416 asymmetric keypair owned by the entity, and a claim that the 417 identifier is in the registry specified by the HID embedded in the 418 identifier. 420 Attestations: 422 An attestation in DRIP is a signed assertion. The signer may be a 423 claimant or a third party. Under DRIP this is normally used when 424 an entity asserts a relationship with another entity, along with 425 other information, and the asserting entity signs the assertion, 426 thereby making it an attestation. 428 Certificates: 430 A certificate in DRIP is an attestation, strictly over identity 431 information, signed by a third party. 433 4. HHIT for DRIP Entity Identifier 435 This section describes the basic requirements of a DRIP entity 436 identifier per regulation constrains from ASTM [F3411-19] and 437 explains the use of Hierarchical Host Identity Tags (HHITs) as self- 438 asserting IPv6 addresses and thereby a trustable DRIP identifier for 439 use as the UAS Remote ID. HHITs self-attest to the included explicit 440 hierarchy that provides Registrar discovery for 3rd-party ID 441 attestation. 443 4.1. UAS Remote Identifiers Problem Space 445 A DRIP entity identifier needs to be "Trustworthy". This means that 446 within the framework of the RID messages, an Observer can establish 447 that the DRIP identifier used does uniquely belong to the UAS. That 448 the only way for any other UAS to assert this DRIP identifier would 449 be to steal something from within the UAS. The DRIP identifier is 450 self-generated by the UAS (either UA or GCS) and registered with the 451 USS. 453 The data communication of using Broadcast RID faces extreme 454 challenges due to the limitation of the demanding support for 455 Bluetooth. The ASTM [F3411-19] defines the basic RID message which 456 is expected to contain certain RID data and the Authentication 457 message. The Basic RID message has a maximum payload of 25 bytes and 458 the maximum size allocated by ASTM for the RID is 20 bytes and only 3 459 bytes are left unused. currently, the authentication maximum payload 460 is defined to be 201 bytes. 462 Standard approaches like X.509 and PKI will not fit these 463 constraints, even using the new EdDSA [RFC8032] algorithm. An 464 example of a technology that will fit within these limitations is an 465 enhancement of the Host Identity Tag (HIT) of HIPv2 [RFC7401] using 466 Hierarchical HITs (HHITs) for UAS RID is outlined in HHIT based UAS 467 RID [I-D.ietf-drip-rid]. As PKI with X.509 is being used in other 468 systems with which UAS RID must interoperate (e.g. Discovery and 469 Synchronization Service and any other communications involving USS) 470 mappings between the more flexible but larger X.509 certificates and 471 the HHIT-based structures must be devised. 473 By using the EdDSA HHIT suite, the self-attestations of the RID can 474 be done in as little as 84 bytes. Third-party Certificates can be 475 done in 200 bytes. An Observer would need Internet access to 476 validate a self-attestations claim. A third-party Certificate can be 477 validated via a small credential cache in a disconnected environment. 478 This third-party Certificate is possible when the third-party also 479 uses HHITs for its identity and the UA has the public key and the 480 Certificate for that HHIT. 482 4.2. HIT as A Trustworthy DRIP Entity Identifier 484 For a Remote ID to be trustworthy in the Broadcast mode, it is better 485 to have an asymmetric keypair for proof of ID ownership. The common 486 method of using a key signing operation to assert ownership of an ID, 487 does not guarantee name uniqueness. Any entity can sign an ID, 488 claiming ownership. To mitigate spoofing risks, the ID needs to be 489 cryptographically generated from the public key, in such a manner 490 that it is statistically hard for an entity to create a public key 491 that would generate (spoof) the ID. Thus the signing of such an ID 492 becomes an a proof (verifiable attestation, versus mere claim) of 493 ownership. 495 HITs are statistically unique through the cryptographic hash feature 496 of second-preimage resistance. The cryptographically-bound addition 497 of the Hierarchy and an HHIT registration process (e.g. based on 498 Extensible Provisioning Protocol, [RFC5730]) provide complete, global 499 HHIT uniqueness. This is in contrast to general IDs (e.g. a UUID or 500 device serial number) as the subject in an X.509 certificate. 502 4.3. HHIT for DRIP Identifier Registration and Lookup 504 DRIP identifiers need a deterministic lookup mechanism that rapidly 505 provides actionable information about the identified UA. The 506 identifier itself needs to be the inquiry input into the lookup given 507 the constraints imposed by some of the broadcast media. This can 508 best be achieved by an Identifier registration hierarchy 509 cryptographically embedded within the Identifier. 511 A HHIT itself consists of a registration hierarchy, the hashing 512 crypto suite information, and the hash of these items along with the 513 underlying public key. Additional information, e.g. an IPv6 prefix, 514 can enhance the HHITs use beyond the basic Remote ID function (e.g 515 use in HIP, [RFC7401]). 517 Therefore, a DRIP identifier can be represented as a HHIT. It can be 518 self-generated by a UAS (either UA or GCS) and registered with the 519 Private Information Registry (More details in Section 5.2) identified 520 in its hierarchy fields. Each DRIP identifier represented as an HHIT 521 can not be used more than once. 523 A DRIP identifier can be assigned to a UAS as a static HHIT by its 524 manufacturer, such as a single HI and derived HHIT encoded as a 525 hardware serial number per [CTA2063A]. Such a static HHIT can only 526 be used to bind one-time use DRIP identifiers to the unique UA. 527 Depending upon implementation, this may leave a HI private key in the 528 possession of the manufacturer (more details in Section 8). 530 In another case, a UAS equipped for Broadcast RID can be provisioned 531 not only with its HHIT but also with the HI public key from which the 532 HHIT was derived and the corresponding private key, to enable message 533 signature. A UAS equipped for Network RID can be provisioned 534 likewise; the private key resides only in the ultimate source of 535 Network RID messages (i.e. on the UA itself if the GCS is merely 536 relaying rather than sourcing Network RID messages). Each Observer 537 device can be provisioned either with public keys of the DRIP 538 identifier root registries or certificates for subordinate 539 registries. 541 The Operators, Private Information Registries as well as other UTM 542 entities can possess UAS ID style HHITs. When present, such HHITs 543 can be used with HIP to strongly mutually authenticate and optionally 544 encrypt communications. 546 4.4. HHIT for DRIP Identifier Cryptographic 548 The only (known to the authors of this document at the time of its 549 writing) extant fixed-length ID cryptographically derived from a 550 public key are the Host Identity Tag [RFC7401], HITs, and 551 Cryptographically Generated Addresses [RFC3972], CGAs. However, both 552 HITs and CGAs lack registration/retrieval capability. HHIT, on the 553 other hand, is capable of providing a cryptographic hashing function, 554 along with a registration process to mitigate the probability of a 555 hash collision (first registered, first allowed). 557 5. DRIP Identifier Registration and Registries 559 UAS registries can hold both public and private UAS information 560 resulting from the DRIP identifier registration process. Given these 561 different uses, and to improve scalability, security, and simplicity 562 of administration, the public and private information can be stored 563 in different registries. A DRIP identifier is amenable to handling 564 as an Internet domain name (at an arbitrary level in the hierarchy). 565 It also can be registered in at least a pseudo-domain (e.g. .ip6.arpa 566 for reverse lookup), or as a sub-domain (for forward lookup). This 567 section introduces the public and private information registries for 568 DRIP identifiers. 570 5.1. Public Information Registry 572 5.1.1. Background 574 The public registry provides trustable information such as 575 attestations of RID ownership and HDA registration. Optionally, 576 pointers to the repositories for the HDA and RAA implicit in the RID 577 can be included (e.g. for HDA and RAA HHIT|HI used in attestation 578 signing operations). This public information will be principally 579 used by Observers of Broadcast RID messages. Data on UAS that only 580 use Network RID, is only available via an Observer's Net-RID DP that 581 would tend to provide all public registry information directly. The 582 Observer can visually "see" these UAS, but they are silent to the 583 Observer; the Net-RID DP is the only source of information based on a 584 query for an airspace volume. 586 5.1.2. Proposed Approach 588 A DRIP public information registry can respond to standard DNS 589 queries, in the definitive public Internet DNS hierarchy. If a DRIP 590 public information registry lists, in a HIP RR, any HIP RVS servers 591 for a given DRIP identifier, those RVS servers can restrict relay 592 services per AAA policy; this requires extensions to [RFC8004]. 593 These public information registries can use secure DNS transport 594 (e.g. DNS over TLS) to deliver public information that is not 595 inherently trustable (e.g. everything other than attestations). 597 5.2. Private Information Registry 598 5.2.1. Background 600 The private information required for DRIP identifiers is similar to 601 that required for Internet domain name registration. A DRIP 602 identifier solution can leverage existing Internet resources: 603 registration protocols, infrastructure and business models, by 604 fitting into an ID structure compatible with DNS names. This implies 605 some sort of hierarchy, for scalability, and management of this 606 hierarchy. It is expected that the private registry function will be 607 provided by the same organizations that run USS, and likely 608 integrated with USS. 610 5.2.2. Proposed Approach 612 A DRIP private information registry can support essential Internet 613 domain name registry operations (e.g. add, delete, update, query) 614 using interoperable open standard protocols. It can also support the 615 Extensible Provisioning Protocol (EPP) and the Registry Data Access 616 Protocol (RDAP) with access controls. It might be listed in a DNS: 617 that DNS could be private; but absent any compelling reasons for use 618 of private DNS, a public DNS hierarchy needs to be in place. The 619 DRIP private information registry in which a given UAS is registered 620 needs to be findable, starting from the UAS ID, using the methods 621 specified in [RFC7484]. A DRIP private information registry can also 622 support WebFinger as specified in [RFC7033]. 624 6. Harvesting Broadcast Remote ID messages for UTM Inclusion 626 ASTM anticipated that regulators would require both Broadcast RID and 627 Network RID for large UAS, but allow RID requirements for small UAS 628 to be satisfied with the operator's choice of either Broadcast RID or 629 Network RID. The EASA initially specified Broadcast RID for UAS of 630 essentially all UAS and is now also considering Network RID. The FAA 631 RID Final Rules only specifies Broadcast RID for UAS, however, still 632 encourages Network RID for complementary functionality, especially in 633 support of UTM. 635 One obvious opportunity is to enhance the architecture with gateways 636 from Broadcast RID to Network RID. This provides the best of both 637 and gives regulators and operators flexibility. It offers 638 considerable enhancement over some Network RID options such as only 639 reporting planned 4D operation space by the operator. 641 These gateways could be pre-positioned (e.g. around airports, public 642 gatherings, and other sensitive areas) and/or crowd-sourced (as 643 nothing more than a smartphone with a suitable app is needed). As 644 Broadcast RID media have limited range, gateways receiving messages 645 claiming locations far from the gateway can alert authorities or a 646 SDSP to the failed sanity check possibly indicating intent to 647 deceive. Surveillance SDSPs can use messages with precise date/time/ 648 position stamps from the gateways to multilaterate UA location, 649 independent of the locations claimed in the messages (which may have 650 a natural time lag as it is), which are entirely operator self- 651 reported in UAS RID and UTM. 653 Further, gateways with additional sensors (e.g. smartphones with 654 cameras) can provide independent information on the UA type and size, 655 confirming or refuting those claims made in the RID messages. This 656 Crowd Sourced Remote ID (CS-RID) would be a significant enhancement, 657 beyond baseline DRIP functionality; if implemented, it adds two more 658 entity types. 660 6.1. The CS-RID Finder 662 A CS-RID Finder is the gateway for Broadcast Remote ID Messages into 663 the UTM. It performs this gateway function via a CS-RID SDSP. A CS- 664 RID Finder could implement, integrate, or accept outputs from, a 665 Broadcast RID receiver. However, it can not interface directly with 666 a GCS, Net-RID SP, Net-RID DP or Network RID client. It would 667 present a TBD interface to a CS-RID SDSP; this interface needs to be 668 based upon but readily distinguishable from that between a GCS and a 669 Net-RID SP. 671 6.2. The CS-RID SDSP 673 A CS-RID SDSP would appear (i.e. present the same interface) to a 674 Net-RID SP as a Net-RID DP. A CS-RID SDSP can not present a standard 675 GCS-facing interface as if it were a Net-RID SP. A CS-RID SDSP would 676 present a TBD interface to a CS-RID Finder; this interface can be 677 based upon but readily distinguishable between a GCS and a Net-RID 678 SP. 680 7. Privacy for Broadcast PII 682 Broadcast RID messages can contain PII. A viable architecture for 683 PII protection would be symmetric encryption of the PII using a key 684 known to the UAS and its USS. An authorized Observer could send the 685 encrypted PII along with the UAS ID (to entities such as USS of the 686 Observer, or to the UAS in which the UAS ID is registered if that can 687 be determined from the UAS ID itself or to a Public Safety USS) to 688 get the plaintext. Alternatively, the authorized Observer can 689 receive the key to directly decrypt all future PII content from the 690 UA. 692 PII can be protected unless the UAS is informed otherwise. This 693 could come from operational instructions to even permit flying in a 694 space/time. It can be special instructions at the start or during an 695 operation. PII protection can not be used if the UAS loses 696 connectivity to the USS. The UAS always has the option to abort the 697 operation if PII protection is disallowed. 699 An authorized Observer can instruct a UAS via the USS that conditions 700 have changed mandating no PII protection or land the UA (abort the 701 operation). 703 8. Security Considerations 705 The security provided by asymmetric cryptographic techniques depends 706 upon protection of the private keys. A manufacturer that embeds a 707 private key in an UA may have retained a copy. A manufacturer whose 708 UA are configured by a closed source application on the GCS which 709 communicates over the Internet with the factory may be sending a copy 710 of a UA or GCS self-generated key back to the factory. Keys may be 711 extracted from a GCS or UA. The RID sender of a small harmless UA 712 (or the entire UA) could be carried by a larger dangerous UA as a 713 "false flag." Compromise of a registry private key could do 714 widespread harm. Key revocation procedures are as yet to be 715 determined. These risks are in addition to those involving Operator 716 key management practices. 718 9. Acknowledgements 720 The work of the FAA's UAS Identification and Tracking (UAS ID) 721 Aviation Rulemaking Committee (ARC) is the foundation of later ASTM 722 and proposed IETF DRIP WG efforts. The work of ASTM F38.02 in 723 balancing the interests of diverse stakeholders is essential to the 724 necessary rapid and widespread deployment of UAS RID. IETF 725 volunteers who have contributed to this draft include Amelia 726 Andersdotter and Mohamed Boucadair. 728 10. References 730 10.1. Normative References 732 [I-D.ietf-drip-reqs] 733 Card, S., Wiethuechter, A., Moskowitz, R., and A. Gurtov, 734 "Drone Remote Identification Protocol (DRIP) 735 Requirements", Work in Progress, Internet-Draft, draft- 736 ietf-drip-reqs-06, 1 November 2020, . 739 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 740 Requirement Levels", BCP 14, RFC 2119, 741 DOI 10.17487/RFC2119, March 1997, 742 . 744 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 745 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 746 May 2017, . 748 10.2. Informative References 750 [CTA2063A] ANSI, "Small Unmanned Aerial Systems Serial Numbers", 751 2019. 753 [Delegated] 754 European Union Aviation Safety Agency (EASA), "EU 755 Commission Delegated Regulation 2019/945 of 12 March 2019 756 on unmanned aircraft systems and on third-country 757 operators of unmanned aircraft systems", 2019. 759 [F3411-19] ASTM, "Standard Specification for Remote ID and Tracking", 760 2019. 762 [FAA_RID] United States Federal Aviation Administration (FAA), 763 "Remote Identification of Unmanned Aircraft", 2021, 764 . 767 [FAA_UAS_Concept_Of_Ops] 768 United States Federal Aviation Administration (FAA), 769 "Unmanned Aircraft System (UAS) Traffic Management (UTM) 770 Concept of Operations (V2.0)", 2020, 771 . 774 [I-D.ietf-drip-rid] 775 Moskowitz, R., Card, S., Wiethuechter, A., and A. Gurtov, 776 "UAS Remote ID", Work in Progress, Internet-Draft, draft- 777 ietf-drip-rid-06, 31 December 2020, . 780 [Implementing] 781 European Union Aviation Safety Agency (EASA), "EU 782 Commission Implementing Regulation 2019/947 of 24 May 2019 783 on the rules and procedures for the operation of unmanned 784 aircraft", 2019. 786 [LAANC] United States Federal Aviation Administration (FAA), "Low 787 Altitude Authorization and Notification Capability", n.d., 788 . 791 [NPRM] United States Federal Aviation Administration (FAA), 792 "Notice of Proposed Rule Making on Remote Identification 793 of Unmanned Aircraft Systems", 2019. 795 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 796 STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, 797 . 799 [RFC3972] Aura, T., "Cryptographically Generated Addresses (CGA)", 800 RFC 3972, DOI 10.17487/RFC3972, March 2005, 801 . 803 [RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)", 804 STD 69, RFC 5730, DOI 10.17487/RFC5730, August 2009, 805 . 807 [RFC5731] Hollenbeck, S., "Extensible Provisioning Protocol (EPP) 808 Domain Name Mapping", STD 69, RFC 5731, 809 DOI 10.17487/RFC5731, August 2009, 810 . 812 [RFC7033] Jones, P., Salgueiro, G., Jones, M., and J. Smarr, 813 "WebFinger", RFC 7033, DOI 10.17487/RFC7033, September 814 2013, . 816 [RFC7401] Moskowitz, R., Ed., Heer, T., Jokela, P., and T. 817 Henderson, "Host Identity Protocol Version 2 (HIPv2)", 818 RFC 7401, DOI 10.17487/RFC7401, April 2015, 819 . 821 [RFC7482] Newton, A. and S. Hollenbeck, "Registration Data Access 822 Protocol (RDAP) Query Format", RFC 7482, 823 DOI 10.17487/RFC7482, March 2015, 824 . 826 [RFC7484] Blanchet, M., "Finding the Authoritative Registration Data 827 (RDAP) Service", RFC 7484, DOI 10.17487/RFC7484, March 828 2015, . 830 [RFC8004] Laganier, J. and L. Eggert, "Host Identity Protocol (HIP) 831 Rendezvous Extension", RFC 8004, DOI 10.17487/RFC8004, 832 October 2016, . 834 [RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital 835 Signature Algorithm (EdDSA)", RFC 8032, 836 DOI 10.17487/RFC8032, January 2017, 837 . 839 [TS-22.825] 840 3GPP, "UAS RID requirement study", n.d., 841 . 844 [U-Space] European Organization for the Safety of Air Navigation 845 (EUROCONTROL), "U-space Concept of Operations", 2019, 846 . 849 Appendix A. Overview of Unmanned Aircraft Systems (UAS) Traffic 850 Management (UTM) 852 A.1. Operation Concept 854 The National Aeronautics and Space Administration (NASA) and FAAs' 855 effort of integrating UAS's operation into the national airspace 856 system (NAS) leads to the development of the concept of UTM and the 857 ecosystem around it. The UTM concept was initially presented in 2013 858 and version 2.0 is published in 2020 [FAA_UAS_Concept_Of_Ops]. 860 The eventual development and implementation are conducted by the UTM 861 research transition team which is the joint workforce by FAA and 862 NASA. World efforts took place afterward. The Single European Sky 863 ATM Research (SESAR) started the CORUS project to research its UTM 864 counterpart concept, namely [U-Space]. This effort is led by the 865 European Organization for the Safety of Air Navigation (Eurocontrol). 867 Both NASA and SESAR have published the UTM concept of operations to 868 guide the development of their future air traffic management (ATM) 869 system and make sure safe and efficient integrations of manned and 870 unmanned aircraft into the national airspace. 872 The UTM composes of UAS operation infrastructure, procedures and 873 local regulation compliance policies to guarantee UAS's safe 874 integration and operation. The main functionality of a UTM includes, 875 but is not limited to, providing means of communication between UAS 876 operators and service providers and a platform to facilitate 877 communication among UAS service providers. 879 A.2. UAS Service Supplier (USS) 881 A USS plays an important role to fulfill the key performance 882 indicators (KPIs) that a UTM has to offer. Such Entity acts as a 883 proxy between UAS operators and UTM service providers. It provides 884 services like real-time UAS traffic monitor and planning, 885 aeronautical data archiving, airspace and violation control, 886 interacting with other third-party control entities, etc. A USS can 887 coexist with other USS(s) to build a large service coverage map which 888 can load-balance, relay and share UAS traffic information. 890 The FAA works with UAS industry shareholders and promotes the Low 891 Altitude Authorization and Notification Capability [LAANC] program 892 which is the first system to realize some of the UTM envisioned 893 functionality. The LAANC program can automate the UAS's flight plan 894 application and approval process for airspace authorization in real- 895 time by checking against multiple aeronautical databases such as 896 airspace classification and fly rules associated with it, FAA UAS 897 facility map, special use airspace, Notice to Airman (NOTAM), and 898 Temporary Flight Rule (TFR). 900 A.3. UTM Use Cases for UAS Operations 902 This section illustrates a couple of use case scenarios where UAS 903 participation in UTM has significant safety improvement. 905 1. For a UAS participating in UTM and takeoff or land in a 906 controlled airspace (e.g., Class Bravo, Charlie, Delta and Echo 907 in United States), the USS where UAS is currently communicating 908 with is responsible for UAS's registration, authenticating the 909 UAS's fly plan by checking against designated UAS fly map 910 database, obtaining the air traffic control (ATC) authorization 911 and monitor the UAS fly path in order to maintain safe boundary 912 and follow the pre-authorized route. 914 2. For a UAS participating in UTM and take off or land in an 915 uncontrolled airspace (ex. Class Golf in the United States), 916 pre-fly authorization must be obtained from a USS when operating 917 beyond-visual-of-sight (BVLOS) operation. The USS either accepts 918 or rejects received intended fly plan from the UAS. Accepted UAS 919 operation may share its current fly data such as GPS position and 920 altitude to USS. The USS may keep the UAS operation status near 921 real-time and may keep it as a record for overall airspace air 922 traffic monitor. 924 A.4. Automatic Dependent Surveillance Broadcast (ADS-B) 926 The ADS-B is the de facto technology used in manned aviation for 927 sharing location information, which is a ground and satellite based 928 system designed in the early 2000s. Broadcast RID is conceptually 929 similar to ADS-B. However, for numerous technical and regulatory 930 reasons, ADS-B itself is not suitable for low-flying small UA. 931 Technical reasons include: needing RF-LOS to large, expensive (hence 932 scarce) ground stations; needing both a satellite receiver and 1090 933 MHz transceiver onboard CSWaP constrained UA; the limited bandwidth 934 of both uplink and downlink, which are adequate for the current 935 manned aviation traffic volume, but would likely be saturated by 936 large numbers of UAS, endangering manned aviation; etc. 937 Understanding these technical shortcomings, regulators world-wide 938 have ruled out use of ADS-B for the small UAS for which UAS RID and 939 DRIP are intended. 941 Authors' Addresses 943 Stuart W. Card 944 AX Enterprize 945 4947 Commercial Drive 946 Yorkville, NY, 13495 947 United States of America 949 Email: stu.card@axenterprize.com 951 Adam Wiethuechter 952 AX Enterprize 953 4947 Commercial Drive 954 Yorkville, NY, 13495 955 United States of America 957 Email: adam.wiethuechter@axenterprize.com 959 Robert Moskowitz 960 HTT Consulting 961 Oak Park, MI, 48237 962 United States of America 964 Email: rgm@labs.htt-consult.com 966 Shuai Zhao 967 Tencent 968 2747 Park Blvd 969 Palo Alto, 94588 970 United States of America 972 Email: shuai.zhao@ieee.org 974 Andrei Gurtov 975 Linkoeping University 976 IDA 977 SE-58183 Linkoeping Linkoeping 978 Sweden 980 Email: gurtov@acm.org