idnits 2.17.1 draft-ietf-drip-arch-13.txt: -(10): Line appears to be too long, but this could be caused by non-ascii characters in UTF-8 encoding Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == There are 3 instances of lines with non-ascii characters in the document. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 222 has weird spacing: '...bserver x x...' == Line 315 has weird spacing: '...perator xxxxx...' == The document doesn't use any RFC 2119 keywords, yet has text resembling RFC 2119 boilerplate text. -- The document date (27 May 2021) is 1065 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-18) exists of draft-ietf-drip-reqs-12 == Outdated reference: A later version (-37) exists of draft-ietf-drip-rid-07 -- Obsolete informational reference (is this intentional?): RFC 7482 (Obsoleted by RFC 9082) -- Obsolete informational reference (is this intentional?): RFC 7484 (Obsoleted by RFC 9224) Summary: 1 error (**), 0 flaws (~~), 7 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 drip S. Card 3 Internet-Draft A. Wiethuechter 4 Intended status: Informational AX Enterprize 5 Expires: 28 November 2021 R. Moskowitz 6 HTT Consulting 7 S. Zhao (Editor) 8 Tencent 9 A. Gurtov 10 Linköping University 11 27 May 2021 13 Drone Remote Identification Protocol (DRIP) Architecture 14 draft-ietf-drip-arch-13 16 Abstract 18 This document describes an architecture for protocols and services to 19 support Unmanned Aircraft System Remote Identification and tracking 20 (UAS RID), plus RID-related communications. This architecture 21 satisfies the requirements listed in the DRIP requirements document. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on 28 November 2021. 40 Copyright Notice 42 Copyright (c) 2021 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 47 license-info) in effect on the date of publication of this document. 48 Please review these documents carefully, as they describe your rights 49 and restrictions with respect to this document. Code Components 50 extracted from this document must include Simplified BSD License text 51 as described in Section 4.e of the Trust Legal Provisions and are 52 provided without warranty as described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 57 1.1. Overview of Unmanned Aircraft System (UAS) Remote ID (RID) 58 and Standardization . . . . . . . . . . . . . . . . . . . 3 59 1.2. Overview of Types of UAS Remote ID . . . . . . . . . . . 4 60 1.2.1. Broadcast RID . . . . . . . . . . . . . . . . . . . . 4 61 1.2.2. Network RID . . . . . . . . . . . . . . . . . . . . . 5 62 1.3. Overview of USS Interoperability . . . . . . . . . . . . 6 63 1.4. Overview of DRIP Architecture . . . . . . . . . . . . . . 7 64 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 9 65 3. Definitions and Abbreviations . . . . . . . . . . . . . . . . 9 66 3.1. Additional Definitions . . . . . . . . . . . . . . . . . 9 67 3.2. Abbreviations . . . . . . . . . . . . . . . . . . . . . . 9 68 3.3. Claims, Assertions, Attestations, and Certificates . . . 10 69 4. HHIT for DRIP Entity Identifier . . . . . . . . . . . . . . . 11 70 4.1. UAS Remote Identifiers Problem Space . . . . . . . . . . 11 71 4.2. HIT as A Trustworthy DRIP Entity Identifier . . . . . . . 12 72 4.3. HHIT for DRIP Identifier Registration and Lookup . . . . 13 73 4.4. HHIT for DRIP Identifier Cryptographic . . . . . . . . . 14 74 5. DRIP Identifier Registration and Registries . . . . . . . . . 14 75 5.1. Public Information Registry . . . . . . . . . . . . . . . 14 76 5.1.1. Background . . . . . . . . . . . . . . . . . . . . . 14 77 5.1.2. Proposed Approach . . . . . . . . . . . . . . . . . . 14 78 5.2. Private Information Registry . . . . . . . . . . . . . . 15 79 5.2.1. Background . . . . . . . . . . . . . . . . . . . . . 15 80 5.2.2. Proposed Approach . . . . . . . . . . . . . . . . . . 15 81 6. Harvesting Broadcast Remote ID messages for UTM Inclusion . . 15 82 6.1. The CS-RID Finder . . . . . . . . . . . . . . . . . . . . 16 83 6.2. The CS-RID SDSP . . . . . . . . . . . . . . . . . . . . . 16 84 7. Privacy for Broadcast PII . . . . . . . . . . . . . . . . . . 16 85 8. Security Considerations . . . . . . . . . . . . . . . . . . . 17 86 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 17 87 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 88 10.1. Normative References . . . . . . . . . . . . . . . . . . 17 89 10.2. Informative References . . . . . . . . . . . . . . . . . 18 90 Appendix A. Overview of Unmanned Aircraft Systems (UAS) Traffic 91 Management (UTM) . . . . . . . . . . . . . . . . . . . . 20 92 A.1. Operation Concept . . . . . . . . . . . . . . . . . . . . 21 93 A.2. UAS Service Supplier (USS) . . . . . . . . . . . . . . . 21 94 A.3. UTM Use Cases for UAS Operations . . . . . . . . . . . . 22 95 A.4. Automatic Dependent Surveillance Broadcast (ADS-B) . . . 22 96 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 98 1. Introduction 100 This document describes an architecture for protocols and services to 101 support Unmanned Aircraft System Remote Identification and tracking 102 (UAS RID), plus RID-related communications. The architecture takes 103 into account both current (including proposed) regulations and non- 104 IETF technical standards. 106 The architecture adheres to the requirements listed in the DRIP 107 requirements document [I-D.ietf-drip-reqs]. 109 1.1. Overview of Unmanned Aircraft System (UAS) Remote ID (RID) and 110 Standardization 112 UAS Remote Identification (RID) is an application enabler for a UAS 113 to be identified by Unmanned Aircraft Systems Traffic Management 114 (UTM) and UAS Service Supplier (USS) (Appendix A) or third parties 115 entities such as law enforcement. Many considerations (e.g., safety) 116 dictate that UAS be remotely identifiable. Civil Aviation 117 Authorities (CAAs) worldwide are mandating UAS RID. For example, the 118 European Union Aviation Safety Agency (EASA) has published 119 [Delegated] and [Implementing] Regulations. 121 CAAs currently promulgate performance-based regulations that do not 122 specify techniques, but rather cite industry consensus technical 123 standards as acceptable means of compliance. 125 Federal Aviation Administration (FAA) 127 The FAA published a Notice of Proposed Rule Making [NPRM] in 2019 128 and whereafter published the "Final Rule" in 2021 [FAA_RID]. In 129 FAA's final rule, it is clearly stated that Automatic Dependent 130 Surveillance Broadcast (ADS-B) Out and transponders can not be 131 used to serve the purpose of an remote identification. More 132 details about ADS-B can be found in Appendix A.4. 134 American Society for Testing and Materials (ASTM) 136 ASTM International, Technical Committee F38 (UAS), Subcommittee 137 F38.02 (Aircraft Operations), Work Item WK65041, developed the 138 ASTM [F3411-19] Standard Specification for Remote ID and Tracking. 140 ASTM defines one set of RID information and two means, MAC-layer 141 broadcast and IP-layer network, of communicating it. If an UAS 142 uses both communication methods, the same information must be 143 provided via both means. [F3411-19] is cited by FAA in its RID 144 final rule [FAA_RID] as "a potential means of compliance" to a 145 Remote ID rule. 147 The 3rd Generation Partnership Project (3GPP) 149 With release 16, the 3GPP completed the UAS RID requirement study 150 [TS-22.825] and proposed a set of use cases in the mobile network 151 and the services that can be offered based on RID. Release 17 152 specification focuses on enhanced UAS service requirements and 153 provides the protocol and application architecture support that 154 will be applicable for both 4G and 5G network. 156 1.2. Overview of Types of UAS Remote ID 158 1.2.1. Broadcast RID 160 A set of RID messages are defined for direct, one-way, broadcast 161 transmissions from the UA over Bluetooth or Wi-Fi. These are 162 currently defined as MAC-Layer messages. Internet (or other Wide 163 Area Network) connectivity is only needed for UAS registry 164 information lookup by Observers using the locally directly received 165 UAS RID as a key. Broadcast RID should be functionally usable in 166 situations with no Internet connectivity. 168 The Broadcast RID is illustrated in Figure 1. 170 x x UA 171 xxxxx 172 | 173 | 174 | app messages directly over 175 | one-way RF data link (no IP) 176 | 177 | 178 + 179 x 180 xxxxx 181 x 182 x 183 x x Observer's device (e.g. smartphone) 184 x x 186 Figure 1 188 With Broadcast RID, an Observer is limited to their radio "visible" 189 airspace for UAS awareness and information. With queries sent over 190 the Internet using harvested RID (see Section 6), the Observer may 191 gain more information about those visible UAS. 193 1.2.2. Network RID 195 A RID data dictionary and data flow for Network RID are defined in 196 [F3411-19]. This data flow is emitted from an UAS via unspecified 197 means (but at least in part over the Internet) to a Network Remote ID 198 Service Provider (Net-RID SP). A Net-RID SP provides the RID data to 199 Network Remote ID Display Providers (Net-RID DP). It is the Net-RID 200 DP that responds to queries from Network Remote ID Observers 201 (expected typically, but not specified exclusively, to be web-based) 202 specifying airspace volumes of interest. Network RID depends upon 203 connectivity, in several segments, via the Internet, from the UAS to 204 the Observer. 206 The Network RID is illustrated in Figure 2: 208 x x UA 209 xxxxx ******************** 210 | \ * ------*---+------------+ 211 | \ * / * | NET_RID_SP | 212 | \ * ------------/ +---*--+------------+ 213 | RF \ */ | * 214 | * INTERNET | * +------------+ 215 | /* +---*--| NET_RID_DP | 216 | / * +---*--+------------+ 217 + / * | * 218 x / *****************|*** x 219 xxxxx | xxxxx 220 x +------- x 221 x x 222 x x Operator (GCS) Observer x x 223 x x x x 225 Figure 2 227 Command and Control (C2) must flow from the GCS to the UA via some 228 path, currently (in the year of 2021) typically a direct RF link, but 229 with increasing BVLOS operations expected often to be wireless links 230 at either end with the Internet between. For all, but the simplest 231 hobby aircraft, telemetry (at least position and heading) flows from 232 the UA to the GCS via some path, typically the reverse of the C2 233 path. Thus, RID information pertaining to both the GCS and the UA 234 can be sent, by whichever has Internet connectivity, to the Net-RID 235 SP, typically the USS managing the UAS operation. 237 The Net-RID SP forwards RID information via the Internet to 238 subscribed Net-RID DP, typically a USS. Subscribed Net-RID DP 239 forward RID information via the Internet to subscribed Observer 240 devices. Regulations require and [F3411-19] describes RID data 241 elements that must be transported end-to-end from the UAS to the 242 subscribed Observer devices. 244 [F3411-19] prescribes the protocols only between the Net-RID SP, Net- 245 RID DP, and the Discovery and Synchronization Service (DSS). DRIP 246 may also address standardization of protocols between the UA and GCS, 247 between the UAS and the Net-RID SP, and/or between the Net-RID DP and 248 Observer devices. 250 Informative note: Neither link layer protocols nor the use of 251 links (e.g., the link often existing between the GCS and the 252 UA) for any purpose other than carriage of RID information is 253 in the scope of [F3411-19] Network RID. 255 1.3. Overview of USS Interoperability 257 Each UAS is registered to at least one USS. With Net-RID, there is 258 direct communication between the UAS and its USS. With Broadcast- 259 RID, the UAS Operator has either pre-filed a 4D space volume for USS 260 operational knowledge and/or Observers can be providing information 261 about observed UA to a USS. USS exchange information via a Discovery 262 and Synchronization Service (DSS) so all USS collectively have 263 knowledge about all activities in a 4D airspace. 265 The interactions among Observer, UA, and USS are shown in Figure 3. 267 +----------+ 268 | Observer | 269 +----------+ 270 / \ 271 / \ 272 +-----+ +-----+ 273 | UA1 | | UA2 | 274 +-----+ +-----+ 275 \ / 276 \ / 277 +----------+ 278 | Internet | 279 +----------+ 280 / \ 281 / \ 282 +-------+ +-------+ 283 | USS-1 | <-------> | USS-2 | 284 +-------+ +-------+ 285 \ / 286 \ / 287 +------+ 288 | DSS | 289 +------+ 291 Figure 3 293 1.4. Overview of DRIP Architecture 295 The requirements document [I-D.ietf-drip-reqs] provides an extended 296 introduction to the problem space and use cases. Only a brief 297 summary of that introduction is restated here as context, with 298 reference to the general UAS RID usage scenarios shown in Figure 4. 300 General x x Public 301 Public xxxxx xxxxx Safety 302 Observer x x Observer 303 x x 304 x x ---------+ +---------- x x 305 x x | | x x 306 | | 307 UA1 x x | | +------------ x x UA2 308 xxxxx | | | xxxxx 309 | + + + | 310 | xxxxxxxxxx | 311 | x x | 312 +----------+x Internet x+------------+ 313 UA1 | x x | UA1 314 Pilot x | xxxxxxxxxx | x Pilot 315 Operator xxxxx + + + xxxxx Operator 316 GCS1 x | | | x GCS2 317 x | | | x 318 x x | | | x x 319 x x | | | x x 320 | | | 321 +----------+ | | | +----------+ 322 | |------+ | +-------| | 323 | Public | | | Private | 324 | Registry | +-----+ | Registry | 325 | | | DNS | | | 326 +----------+ +-----+ +----------+ 328 Figure 4 330 DRIP is meant to leverage existing Internet resources (standard 331 protocols, services, infrastructures, and business models) to meet 332 UAS RID and closely related needs. DRIP will specify how to apply 333 IETF standards, complementing [F3411-19] and other external 334 standards, to satisfy UAS RID requirements. 336 This document outlines the UAS RID architecture into which DRIP must 337 fit and the architecture for DRIP itself. This includes presenting 338 the gaps between the CAAs' Concepts of Operations and [F3411-19] as 339 it relates to the use of Internet technologies and UA direct RF 340 communications. Issues include, but are not limited to: 342 - Design of trustworthy remote ID and trust in RID messages 343 (Section 4) 345 - Mechanisms to leverage Domain Name System (DNS: [RFC1034]), 346 Extensible Provisioning Protocol (EPP [RFC5731]) and 347 Registration Data Access Protocol (RDAP) ([RFC7482]) to provide 348 for private (Section 5.2) and public (Section 5.1) information 349 registry. 351 - Harvesting broadcast RID messages for UTM inclusion 352 (Section 6). 354 - Privacy in RID messages (PII protection) (Section 7). 356 2. Conventions 358 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 359 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 360 "OPTIONAL" in this document are to be interpreted as described in BCP 361 14 [RFC2119] [RFC8174] when, and only when, they appear in all 362 capitals, as shown above. 364 3. Definitions and Abbreviations 366 3.1. Additional Definitions 368 This document uses terms defined in [I-D.ietf-drip-reqs]. 370 3.2. Abbreviations 372 ADS-B: Automatic Dependent Surveillance Broadcast 374 DSS: Discovery & Synchronization Service 376 EdDSA: Edwards-Curve Digital Signature Algorithm 378 GCS: Ground Control Station 380 HHIT: Hierarchical HIT Registries 382 HIP: Host Identity Protocol 384 HIT: Host Identity Tag 386 RID: Remote ID 388 Net-RID SP: Network RID Service Provider 390 Net-RID DP: Network RID Display Provider. 392 PII: Personally Identifiable Information 393 RF: Radio Frequency 395 SDSP: Supplemental Data Service Provider 397 UA: Unmanned Aircraft 399 UAS: Unmanned Aircraft System 401 USS: UAS Service Supplier 403 UTM: UAS Traffic Management 405 3.3. Claims, Assertions, Attestations, and Certificates 407 This section introduces the terms "Claims", "Assertions", 408 "Attestations", and "Certificates" as used in DRIP. 410 This is due to the term "certificate" having significant 411 technological and legal baggage associated with it, specifically 412 around X.509 certificates. These types of certificates and Public 413 Key Infrastructure invoke more legal and public policy considerations 414 than probably any other electronic communication sector. It emerged 415 as a governmental platform for trusted identity management and was 416 pursued in intergovernmental bodies with links into treaty 417 instruments. 419 Claims: 421 A claim in DRIP is a predicate (e.g., "X is Y", "X has property 422 Y", and most importantly "X owns Y" or "X is owned by Y"). 424 Assertions: 426 An assertion in DRIP is a set of claims. This definition is 427 borrowed from JWT [RFC7519] and CWT [RFC8392]. 429 Attestations: 431 An attestation in DRIP is a signed assertion. The signer may be a 432 claimant or a third party. Under DRIP this is normally used when 433 an entity asserts a relationship with another entity, along with 434 other information, and the asserting entity signs the assertion, 435 thereby making it an attestation. 437 Certificates: 439 A certificate in DRIP is an attestation, strictly over identity 440 information, signed by a third party. 442 4. HHIT for DRIP Entity Identifier 444 This section describes the basic requirements of a DRIP entity 445 identifier per regulation constrains from ASTM [F3411-19] and 446 explains the use of Hierarchical Host Identity Tags (HHITs) as self- 447 asserting IPv6 addresses and thereby a trustable DRIP identifier for 448 use as the UAS Remote ID. HHITs self-attest to the included explicit 449 hierarchy that provides Registrar discovery for 3rd-party ID 450 attestation. 452 4.1. UAS Remote Identifiers Problem Space 454 A DRIP entity identifier needs to be "Trustworthy". This means that 455 within the framework of the RID messages, an Observer can establish 456 that the DRIP identifier used does uniquely belong to the UAS. That 457 the only way for any other UAS to assert this DRIP identifier would 458 be to steal something from within the UAS. The DRIP identifier is 459 self-generated by the UAS (either UA or GCS) and registered with the 460 USS. 462 The data communication of using Broadcast RID faces extreme 463 challenges due to the limitation of the demanding support for 464 Bluetooth. The ASTM [F3411-19] defines the basic RID message which 465 is expected to contain certain RID data and the Authentication 466 message. The Basic RID message has a maximum payload of 25 bytes and 467 the maximum size allocated by ASTM for the RID is 20 bytes and only 3 468 bytes are left unused. currently, the authentication maximum payload 469 is defined to be 201 bytes. 471 Standard approaches like X.509 and PKI will not fit these 472 constraints, even using the new EdDSA [RFC8032] algorithm cannot fit 473 within the maximum 201 byte limit, due in large measure to ASN.1 474 encoding format overhead. 476 An example of a technology that will fit within these limitations is 477 an enhancement of the Host Identity Tag (HIT) of HIPv2 [RFC7401] 478 using Hierarchical HITs (HHITs) for UAS RID is outlined in HHIT based 479 UAS RID [I-D.ietf-drip-rid]. As PKI with X.509 is being used in 480 other systems with which UAS RID must interoperate (e.g. Discovery 481 and Synchronization Service and any other communications involving 482 USS) mappings between the more flexible but larger X.509 certificates 483 and the HHIT-based structures must be devised. This could be as in 484 [RFC8002] or simply the HHIT as Subject Alternative Name (SAN) and no 485 Distinguished Name (DN). 487 A self-attestation of the HHIT RID can be done in as little as 84 488 bytes, by avoiding an explicit encoding technology like ASN.1 or 489 Concise Binary Object Representation (CBOR [RFC8949]). This 490 compressed attestation consists of only the HHIT, a timestamp, and 491 the EdDSA signature on them. The HHIT prefix and suiteID provide 492 crypto agility and implicit encoding rules. Similarly, a self- 493 attestation of the Hierarchical registration of the RID (an 494 attestation of a RID third-party registration "certificate") can be 495 done in 200 bytes. Both these are detailed in UAS RID 496 [I-D.ietf-drip-rid]. 498 An Observer would need Internet access to validate a self- 499 attestations claim. A third-party Certificate can be validated via a 500 small credential cache in a disconnected environment. This third- 501 party Certificate is possible when the third-party also uses HHITs 502 for its identity and the UA has the public key and the Certificate 503 for that HHIT. 505 4.2. HIT as A Trustworthy DRIP Entity Identifier 507 A Remote ID that can be trustworthily used in the RID Broadcast mode 508 can be built from an asymmetric keypair. Rather than using a key 509 signing operation to claim ownership of an ID that does not guarantee 510 name uniqueness, in this method the ID is cryptographically derived 511 directly from the public key. The proof of ID ownership (verifiable 512 attestation, versus mere claim) comes from signing this cryptographic 513 ID with the associated private key. It is statistically hard for 514 another entity to create a public key that would generate (spoof) the 515 ID. 517 HITs are so designed; they are statistically unique through the 518 cryptographic hash feature of second-preimage resistance. The 519 cryptographically-bound addition of the Hierarchy and an HHIT 520 registration process (e.g. based on Extensible Provisioning Protocol, 521 [RFC5730]) provide complete, global HHIT uniqueness. This 522 registration forces the attacker to generate the same public key 523 rather than a public key that generates the same HHIT. This is in 524 contrast to general IDs (e.g. a UUID or device serial number) as the 525 subject in an X.509 certificate. 527 4.3. HHIT for DRIP Identifier Registration and Lookup 529 Remote ID needs a deterministic lookup mechanism that rapidly 530 provides actionable information about the identified UA. Given the 531 size constraints imposed by the Bluetooth 4 broadcast media, the 532 Remote ID itself needs to be the inquiry input into the lookup. An 533 HHIT DRIP identifier contains cryptographically embedded registration 534 information. This HHIT registration hierarchy, along with the IPv6 535 prefix, is trustable and sufficient information that can be used to 536 perform such a lookup. Additionally, the IPv6 prefix can enhance the 537 HHITs use beyond the basic Remote ID function (e.g use in HIP, 538 [RFC7401]). 540 Therefore, a DRIP identifier can be represented as a HHIT. It can be 541 self-generated by a UAS (either UA or GCS) and registered with the 542 Private Information Registry (More details in Section 5.2) identified 543 in its hierarchy fields. Each DRIP identifier represented as an HHIT 544 can not be used more than once. 546 A DRIP identifier can be assigned to a UAS as a static HHIT by its 547 manufacturer, such as a single HI and derived HHIT encoded as a 548 hardware serial number per [CTA2063A]. Such a static HHIT can only 549 be used to bind one-time use DRIP identifiers to the unique UA. 550 Depending upon implementation, this may leave a HI private key in the 551 possession of the manufacturer (more details in Section 8). 553 In another case, a UAS equipped for Broadcast RID can be provisioned 554 not only with its HHIT but also with the HI public key from which the 555 HHIT was derived and the corresponding private key, to enable message 556 signature. A UAS equipped for Network RID can be provisioned 557 likewise; the private key resides only in the ultimate source of 558 Network RID messages (i.e. on the UA itself if the GCS is merely 559 relaying rather than sourcing Network RID messages). Each Observer 560 device can be provisioned either with public keys of the DRIP 561 identifier root registries or certificates for subordinate 562 registries. 564 HHITs can be used throughout the UAS/UTM system. The Operators, 565 Private Information Registries, as well as other UTM entities, can 566 use HHITs for their IDs. Such HHITs can facilitate DRIP security 567 functions such as used with HIP to strongly mutually authenticate and 568 encrypt communications. 570 4.4. HHIT for DRIP Identifier Cryptographic 572 The only (known to the authors of this document at the time of its 573 writing) extant fixed-length ID cryptographically derived from a 574 public key are the Host Identity Tag [RFC7401], HITs, and 575 Cryptographically Generated Addresses [RFC3972], CGAs. However, both 576 HITs and CGAs lack registration/retrieval capability. HHIT, on the 577 other hand, is capable of providing a cryptographic hashing function, 578 along with a registration process to mitigate the probability of a 579 hash collision (first registered, first allowed). 581 5. DRIP Identifier Registration and Registries 583 UAS registries can hold both public and private UAS information 584 resulting from the DRIP identifier registration process. Given these 585 different uses, and to improve scalability, security, and simplicity 586 of administration, the public and private information can be stored 587 in different registries. A DRIP identifier is amenable to handling 588 as an Internet domain name (at an arbitrary level in the hierarchy). 589 It also can be registered in at least a pseudo-domain (e.g. .ip6.arpa 590 for reverse lookup), or as a sub-domain (for forward lookup). This 591 section introduces the public and private information registries for 592 DRIP identifiers. 594 5.1. Public Information Registry 596 5.1.1. Background 598 The public registry provides trustable information such as 599 attestations of RID ownership and HDA registration. Optionally, 600 pointers to the repositories for the HDA and RAA implicit in the RID 601 can be included (e.g. for HDA and RAA HHIT|HI used in attestation 602 signing operations). This public information will be principally 603 used by Observers of Broadcast RID messages. Data on UAS that only 604 use Network RID, is only available via an Observer's Net-RID DP that 605 would tend to provide all public registry information directly. The 606 Observer can visually "see" these UAS, but they are silent to the 607 Observer; the Net-RID DP is the only source of information based on a 608 query for an airspace volume. 610 5.1.2. Proposed Approach 612 A DRIP public information registry can respond to standard DNS 613 queries, in the definitive public Internet DNS hierarchy. If a DRIP 614 public information registry lists, in a HIP RR, any HIP RVS servers 615 for a given DRIP identifier, those RVS servers can restrict relay 616 services per AAA policy; this requires extensions to [RFC8004]. 617 These public information registries can use secure DNS transport 618 (e.g. DNS over TLS) to deliver public information that is not 619 inherently trustable (e.g. everything other than attestations). 621 5.2. Private Information Registry 623 5.2.1. Background 625 The private information required for DRIP identifiers is similar to 626 that required for Internet domain name registration. A DRIP 627 identifier solution can leverage existing Internet resources: 628 registration protocols, infrastructure and business models, by 629 fitting into an ID structure compatible with DNS names. This implies 630 some sort of hierarchy, for scalability, and management of this 631 hierarchy. It is expected that the private registry function will be 632 provided by the same organizations that run USS, and likely 633 integrated with USS. 635 5.2.2. Proposed Approach 637 A DRIP private information registry can support essential Internet 638 domain name registry operations (e.g. add, delete, update, query) 639 using interoperable open standard protocols. It can also support the 640 Extensible Provisioning Protocol (EPP) and the Registry Data Access 641 Protocol (RDAP) with access controls. It might be listed in a DNS: 642 that DNS could be private; but absent any compelling reasons for use 643 of private DNS, a public DNS hierarchy needs to be in place. The 644 DRIP private information registry in which a given UAS is registered 645 needs to be findable, starting from the UAS ID, using the methods 646 specified in [RFC7484]. A DRIP private information registry can also 647 support WebFinger as specified in [RFC7033]. 649 6. Harvesting Broadcast Remote ID messages for UTM Inclusion 651 ASTM anticipated that regulators would require both Broadcast RID and 652 Network RID for large UAS, but allow RID requirements for small UAS 653 to be satisfied with the operator's choice of either Broadcast RID or 654 Network RID. The EASA initially specified Broadcast RID for UAS of 655 essentially all UAS and is now also considering Network RID. The FAA 656 RID Final Rules only specifies Broadcast RID for UAS, however, still 657 encourages Network RID for complementary functionality, especially in 658 support of UTM. 660 One obvious opportunity is to enhance the architecture with gateways 661 from Broadcast RID to Network RID. This provides the best of both 662 and gives regulators and operators flexibility. It offers 663 considerable enhancement over some Network RID options such as only 664 reporting planned 4D operation space by the operator. 666 These gateways could be pre-positioned (e.g. around airports, public 667 gatherings, and other sensitive areas) and/or crowd-sourced (as 668 nothing more than a smartphone with a suitable app is needed). As 669 Broadcast RID media have limited range, gateways receiving messages 670 claiming locations far from the gateway can alert authorities or a 671 SDSP to the failed sanity check possibly indicating intent to 672 deceive. Surveillance SDSPs can use messages with precise date/time/ 673 position stamps from the gateways to multilaterate UA location, 674 independent of the locations claimed in the messages (which may have 675 a natural time lag as it is), which are entirely operator self- 676 reported in UAS RID and UTM. 678 Further, gateways with additional sensors (e.g. smartphones with 679 cameras) can provide independent information on the UA type and size, 680 confirming or refuting those claims made in the RID messages. This 681 Crowd Sourced Remote ID (CS-RID) would be a significant enhancement, 682 beyond baseline DRIP functionality; if implemented, it adds two more 683 entity types. 685 6.1. The CS-RID Finder 687 A CS-RID Finder is the gateway for Broadcast Remote ID Messages into 688 the UTM. It performs this gateway function via a CS-RID SDSP. A CS- 689 RID Finder could implement, integrate, or accept outputs from, a 690 Broadcast RID receiver. However, it can not interface directly with 691 a GCS, Net-RID SP, Net-RID DP or Network RID client. It would 692 present a TBD interface to a CS-RID SDSP; this interface needs to be 693 based upon but readily distinguishable from that between a GCS and a 694 Net-RID SP. 696 6.2. The CS-RID SDSP 698 A CS-RID SDSP would appear (i.e. present the same interface) to a 699 Net-RID SP as a Net-RID DP. A CS-RID SDSP can not present a standard 700 GCS-facing interface as if it were a Net-RID SP. A CS-RID SDSP would 701 present a TBD interface to a CS-RID Finder; this interface can be 702 based upon but readily distinguishable between a GCS and a Net-RID 703 SP. 705 7. Privacy for Broadcast PII 707 Broadcast RID messages can contain PII. A viable architecture for 708 PII protection would be symmetric encryption of the PII using a key 709 known to the UAS and its USS. An authorized Observer could send the 710 encrypted PII along with the UAS ID (to entities such as USS of the 711 Observer, or to the UAS in which the UAS ID is registered if that can 712 be determined from the UAS ID itself or to a Public Safety USS) to 713 get the plaintext. Alternatively, the authorized Observer can 714 receive the key to directly decrypt all future PII content from the 715 UA. 717 PII can be protected unless the UAS is informed otherwise. This 718 could come from operational instructions to even permit flying in a 719 space/time. It can be special instructions at the start or during an 720 operation. PII protection can not be used if the UAS loses 721 connectivity to the USS. The UAS always has the option to abort the 722 operation if PII protection is disallowed. 724 An authorized Observer can instruct a UAS via the USS that conditions 725 have changed mandating no PII protection or land the UA (abort the 726 operation). 728 8. Security Considerations 730 The security provided by asymmetric cryptographic techniques depends 731 upon protection of the private keys. A manufacturer that embeds a 732 private key in an UA may have retained a copy. A manufacturer whose 733 UA are configured by a closed source application on the GCS which 734 communicates over the Internet with the factory may be sending a copy 735 of a UA or GCS self-generated key back to the factory. Keys may be 736 extracted from a GCS or UA. The RID sender of a small harmless UA 737 (or the entire UA) could be carried by a larger dangerous UA as a 738 "false flag." Compromise of a registry private key could do 739 widespread harm. Key revocation procedures are as yet to be 740 determined. These risks are in addition to those involving Operator 741 key management practices. 743 9. Acknowledgements 745 The work of the FAA's UAS Identification and Tracking (UAS ID) 746 Aviation Rulemaking Committee (ARC) is the foundation of later ASTM 747 and proposed IETF DRIP WG efforts. The work of ASTM F38.02 in 748 balancing the interests of diverse stakeholders is essential to the 749 necessary rapid and widespread deployment of UAS RID. IETF 750 volunteers who have contributed to this draft include Amelia 751 Andersdotter and Mohamed Boucadair. 753 10. References 755 10.1. Normative References 757 [I-D.ietf-drip-reqs] 758 Card, S. W., Wiethuechter, A., Moskowitz, R., and A. 759 Gurtov, "Drone Remote Identification Protocol (DRIP) 760 Requirements", Work in Progress, Internet-Draft, draft- 761 ietf-drip-reqs-12, 23 May 2021, 762 . 765 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 766 Requirement Levels", BCP 14, RFC 2119, 767 DOI 10.17487/RFC2119, March 1997, 768 . 770 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 771 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 772 May 2017, . 774 10.2. Informative References 776 [CTA2063A] ANSI, "Small Unmanned Aerial Systems Serial Numbers", 777 2019. 779 [Delegated] 780 European Union Aviation Safety Agency (EASA), "EU 781 Commission Delegated Regulation 2019/945 of 12 March 2019 782 on unmanned aircraft systems and on third-country 783 operators of unmanned aircraft systems", 2019. 785 [F3411-19] ASTM, "Standard Specification for Remote ID and Tracking", 786 2019. 788 [FAA_RID] United States Federal Aviation Administration (FAA), 789 "Remote Identification of Unmanned Aircraft", 2021, 790 . 793 [FAA_UAS_Concept_Of_Ops] 794 United States Federal Aviation Administration (FAA), 795 "Unmanned Aircraft System (UAS) Traffic Management (UTM) 796 Concept of Operations (V2.0)", 2020, 797 . 800 [I-D.ietf-drip-rid] 801 Moskowitz, R., Card, S. W., Wiethuechter, A., and A. 802 Gurtov, "UAS Remote ID", Work in Progress, Internet-Draft, 803 draft-ietf-drip-rid-07, 28 January 2021, 804 . 807 [Implementing] 808 European Union Aviation Safety Agency (EASA), "EU 809 Commission Implementing Regulation 2019/947 of 24 May 2019 810 on the rules and procedures for the operation of unmanned 811 aircraft", 2019. 813 [LAANC] United States Federal Aviation Administration (FAA), "Low 814 Altitude Authorization and Notification Capability", n.d., 815 . 818 [NPRM] United States Federal Aviation Administration (FAA), 819 "Notice of Proposed Rule Making on Remote Identification 820 of Unmanned Aircraft Systems", 2019. 822 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 823 STD 13, RFC 1034, DOI 10.17487/RFC1034, November 1987, 824 . 826 [RFC3972] Aura, T., "Cryptographically Generated Addresses (CGA)", 827 RFC 3972, DOI 10.17487/RFC3972, March 2005, 828 . 830 [RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)", 831 STD 69, RFC 5730, DOI 10.17487/RFC5730, August 2009, 832 . 834 [RFC5731] Hollenbeck, S., "Extensible Provisioning Protocol (EPP) 835 Domain Name Mapping", STD 69, RFC 5731, 836 DOI 10.17487/RFC5731, August 2009, 837 . 839 [RFC7033] Jones, P., Salgueiro, G., Jones, M., and J. Smarr, 840 "WebFinger", RFC 7033, DOI 10.17487/RFC7033, September 841 2013, . 843 [RFC7401] Moskowitz, R., Ed., Heer, T., Jokela, P., and T. 844 Henderson, "Host Identity Protocol Version 2 (HIPv2)", 845 RFC 7401, DOI 10.17487/RFC7401, April 2015, 846 . 848 [RFC7482] Newton, A. and S. Hollenbeck, "Registration Data Access 849 Protocol (RDAP) Query Format", RFC 7482, 850 DOI 10.17487/RFC7482, March 2015, 851 . 853 [RFC7484] Blanchet, M., "Finding the Authoritative Registration Data 854 (RDAP) Service", RFC 7484, DOI 10.17487/RFC7484, March 855 2015, . 857 [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token 858 (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, 859 . 861 [RFC8002] Heer, T. and S. Varjonen, "Host Identity Protocol 862 Certificates", RFC 8002, DOI 10.17487/RFC8002, October 863 2016, . 865 [RFC8004] Laganier, J. and L. Eggert, "Host Identity Protocol (HIP) 866 Rendezvous Extension", RFC 8004, DOI 10.17487/RFC8004, 867 October 2016, . 869 [RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital 870 Signature Algorithm (EdDSA)", RFC 8032, 871 DOI 10.17487/RFC8032, January 2017, 872 . 874 [RFC8392] Jones, M., Wahlstroem, E., Erdtman, S., and H. Tschofenig, 875 "CBOR Web Token (CWT)", RFC 8392, DOI 10.17487/RFC8392, 876 May 2018, . 878 [RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object 879 Representation (CBOR)", STD 94, RFC 8949, 880 DOI 10.17487/RFC8949, December 2020, 881 . 883 [TS-22.825] 884 3GPP, "UAS RID requirement study", n.d., 885 . 888 [U-Space] European Organization for the Safety of Air Navigation 889 (EUROCONTROL), "U-space Concept of Operations", 2019, 890 . 893 Appendix A. Overview of Unmanned Aircraft Systems (UAS) Traffic 894 Management (UTM) 896 A.1. Operation Concept 898 The National Aeronautics and Space Administration (NASA) and FAAs' 899 effort of integrating UAS's operation into the national airspace 900 system (NAS) leads to the development of the concept of UTM and the 901 ecosystem around it. The UTM concept was initially presented in 2013 902 and version 2.0 is published in 2020 [FAA_UAS_Concept_Of_Ops]. 904 The eventual development and implementation are conducted by the UTM 905 research transition team which is the joint workforce by FAA and 906 NASA. World efforts took place afterward. The Single European Sky 907 ATM Research (SESAR) started the CORUS project to research its UTM 908 counterpart concept, namely [U-Space]. This effort is led by the 909 European Organization for the Safety of Air Navigation (Eurocontrol). 911 Both NASA and SESAR have published the UTM concept of operations to 912 guide the development of their future air traffic management (ATM) 913 system and make sure safe and efficient integrations of manned and 914 unmanned aircraft into the national airspace. 916 The UTM composes of UAS operation infrastructure, procedures and 917 local regulation compliance policies to guarantee UAS's safe 918 integration and operation. The main functionality of a UTM includes, 919 but is not limited to, providing means of communication between UAS 920 operators and service providers and a platform to facilitate 921 communication among UAS service providers. 923 A.2. UAS Service Supplier (USS) 925 A USS plays an important role to fulfill the key performance 926 indicators (KPIs) that a UTM has to offer. Such Entity acts as a 927 proxy between UAS operators and UTM service providers. It provides 928 services like real-time UAS traffic monitor and planning, 929 aeronautical data archiving, airspace and violation control, 930 interacting with other third-party control entities, etc. A USS can 931 coexist with other USS(s) to build a large service coverage map which 932 can load-balance, relay and share UAS traffic information. 934 The FAA works with UAS industry shareholders and promotes the Low 935 Altitude Authorization and Notification Capability [LAANC] program 936 which is the first system to realize some of the UTM envisioned 937 functionality. The LAANC program can automate the UAS's flight plan 938 application and approval process for airspace authorization in real- 939 time by checking against multiple aeronautical databases such as 940 airspace classification and fly rules associated with it, FAA UAS 941 facility map, special use airspace, Notice to Airman (NOTAM), and 942 Temporary Flight Rule (TFR). 944 A.3. UTM Use Cases for UAS Operations 946 This section illustrates a couple of use case scenarios where UAS 947 participation in UTM has significant safety improvement. 949 1. For a UAS participating in UTM and takeoff or land in a 950 controlled airspace (e.g., Class Bravo, Charlie, Delta and Echo 951 in United States), the USS where UAS is currently communicating 952 with is responsible for UAS's registration, authenticating the 953 UAS's fly plan by checking against designated UAS fly map 954 database, obtaining the air traffic control (ATC) authorization 955 and monitor the UAS fly path in order to maintain safe boundary 956 and follow the pre-authorized route. 958 2. For a UAS participating in UTM and take off or land in an 959 uncontrolled airspace (ex. Class Golf in the United States), 960 pre-fly authorization must be obtained from a USS when operating 961 beyond-visual-of-sight (BVLOS) operation. The USS either accepts 962 or rejects received intended fly plan from the UAS. Accepted UAS 963 operation may share its current fly data such as GPS position and 964 altitude to USS. The USS may keep the UAS operation status near 965 real-time and may keep it as a record for overall airspace air 966 traffic monitor. 968 A.4. Automatic Dependent Surveillance Broadcast (ADS-B) 970 The ADS-B is the de jure technology used in manned aviation for 971 sharing location information, from the aircraft to ground and 972 satellite-based systems, designed in the early 2000s. Broadcast RID 973 is conceptually similar to ADS-B, but with the receiver target being 974 the general public on generally available devices (e.g. smartphones). 976 For numerous technical reasons, ADS-B itself is not suitable for low- 977 flying small UA. Technical reasons include but not limited to the 978 following: 980 1. Lack of support for the 1090 MHz ADS-B channel on any consumer 981 handheld devices 983 2. Weight and cost of ADS-B transponders on CSWaP constrained UA 985 3. Limited bandwidth of both uplink and downlink, which would likely 986 be saturated by large numbers of UAS, endangering manned aviation 988 Understanding these technical shortcomings, regulators worldwide have 989 ruled out the use of ADS-B for the small UAS for which UAS RID and 990 DRIP are intended. 992 Authors' Addresses 994 Stuart W. Card 995 AX Enterprize 996 4947 Commercial Drive 997 Yorkville, NY, 13495 998 United States of America 1000 Email: stu.card@axenterprize.com 1002 Adam Wiethuechter 1003 AX Enterprize 1004 4947 Commercial Drive 1005 Yorkville, NY, 13495 1006 United States of America 1008 Email: adam.wiethuechter@axenterprize.com 1010 Robert Moskowitz 1011 HTT Consulting 1012 Oak Park, MI, 48237 1013 United States of America 1015 Email: rgm@labs.htt-consult.com 1017 Shuai Zhao 1018 Tencent 1019 2747 Park Blvd 1020 Palo Alto, 94588 1021 United States of America 1023 Email: shuai.zhao@ieee.org 1025 Andrei Gurtov 1026 Linköping University 1027 IDA 1028 SE-58183 Linköping Linköping 1029 Sweden 1031 Email: gurtov@acm.org