idnits 2.17.1 draft-ietf-drip-reqs-04.txt: -(8): Line appears to be too long, but this could be caused by non-ascii characters in UTF-8 encoding Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == There are 3 instances of lines with non-ascii characters in the document. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (25 August 2020) is 1337 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-06) exists of draft-maeurer-raw-ldacs-05 Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 DRIP S. Card, Ed. 3 Internet-Draft A. Wiethuechter 4 Intended status: Informational AX Enterprize 5 Expires: 26 February 2021 R. Moskowitz 6 HTT Consulting 7 A. Gurtov 8 Linköping University 9 25 August 2020 11 Drone Remote Identification Protocol (DRIP) Requirements 12 draft-ietf-drip-reqs-04 14 Abstract 16 This document defines the requirements for Drone Remote 17 Identification Protocol (DRIP) Working Group protocols to support 18 Unmanned Aircraft System Remote Identification and tracking (UAS RID) 19 for security, safety and other purposes. Complementing external 20 technical standards as regulator-accepted means of compliance with 21 UAS RID regulations, DRIP will: 23 facilitate use of existing Internet resources to support UAS RID 24 and to enable enhanced related services; 26 enable online and offline verification that UAS RID information is 27 trustworthy. 29 Status of This Memo 31 This Internet-Draft is submitted in full conformance with the 32 provisions of BCP 78 and BCP 79. 34 Internet-Drafts are working documents of the Internet Engineering 35 Task Force (IETF). Note that other groups may also distribute 36 working documents as Internet-Drafts. The list of current Internet- 37 Drafts is at https://datatracker.ietf.org/drafts/current/. 39 Internet-Drafts are draft documents valid for a maximum of six months 40 and may be updated, replaced, or obsoleted by other documents at any 41 time. It is inappropriate to use Internet-Drafts as reference 42 material or to cite them other than as "work in progress." 44 This Internet-Draft will expire on 26 February 2021. 46 Copyright Notice 48 Copyright (c) 2020 IETF Trust and the persons identified as the 49 document authors. All rights reserved. 51 This document is subject to BCP 78 and the IETF Trust's Legal 52 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 53 license-info) in effect on the date of publication of this document. 54 Please review these documents carefully, as they describe your rights 55 and restrictions with respect to this document. Code Components 56 extracted from this document must include Simplified BSD License text 57 as described in Section 4.e of the Trust Legal Provisions and are 58 provided without warranty as described in the Simplified BSD License. 60 Table of Contents 62 1. Introduction (Informative) . . . . . . . . . . . . . . . . . 2 63 1.1. Overall Context . . . . . . . . . . . . . . . . . . . . . 3 64 1.2. Intended Use . . . . . . . . . . . . . . . . . . . . . . 5 65 1.3. DRIP Scope . . . . . . . . . . . . . . . . . . . . . . . 7 66 2. Terms and Definitions . . . . . . . . . . . . . . . . . . . . 7 67 2.1. Requirements Terminology . . . . . . . . . . . . . . . . 8 68 2.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 8 69 3. UAS RID Problem Space . . . . . . . . . . . . . . . . . . . . 15 70 3.1. Network RID . . . . . . . . . . . . . . . . . . . . . . . 16 71 3.2. Broadcast RID . . . . . . . . . . . . . . . . . . . . . . 17 72 3.3. DRIP Focus . . . . . . . . . . . . . . . . . . . . . . . 18 73 4. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 19 74 4.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 19 75 4.2. Identifier . . . . . . . . . . . . . . . . . . . . . . . 21 76 4.3. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 22 77 4.4. Registries . . . . . . . . . . . . . . . . . . . . . . . 23 78 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23 79 6. Security Considerations . . . . . . . . . . . . . . . . . . . 23 80 7. Privacy and Transparency Considerations . . . . . . . . . . . 24 81 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 25 82 8.1. Normative References . . . . . . . . . . . . . . . . . . 25 83 8.2. Informative References . . . . . . . . . . . . . . . . . 25 84 Appendix A. Discussion and Limitations . . . . . . . . . . . . . 28 85 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 29 86 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 29 88 1. Introduction (Informative) 89 1.1. Overall Context 91 Many considerations (especially safety and security) dictate that UAS 92 be remotely identifiable. Any Observer with responsibilities 93 involving aircraft inherently must classify Unmanned Aircraft (UA) 94 situationally according to basic considerations, as illustrated 95 notionally in Figure 1 below. An Observer who classifies an UAS: as 96 Taskable, can ask it to do something useful; as Low Concern, can 97 reasonably assume it is not malicious, and would cooperate with 98 requests to modify its flight plans for safety reasons; as High 99 Concern or Unidentified, is worth focused surveillance. 101 xxxxxxx +--------------+ 102 x x No | | 103 x ID? x+---->| UNIDENTIFIED | 104 x x | | 105 xxxxxxx +--------------+ 106 + 107 | Yes 108 v 109 xxxxxxx 110 x x 111 +---------+x TYPE? x+----------+ 112 | x x | 113 | xxxxxxx | 114 | + | 115 v v v 116 +--------------+ +--------------+ +--------------+ 117 | | | | | | 118 | TASKABLE | | LOW CONCERN | | HIGH CONCERN | 119 | | | | | | 120 +--------------+ +--------------+ +--------------+ 122 Figure 1: "Notional UAS Classification" 124 Civil Aviation Authorities (CAAs) worldwide are mandating Unmanned 125 Aircraft System Remote Identification and tracking (UAS RID). The 126 European Union Aviation Safety Agency (EASA) has published 127 [Delegated] and [Implementing] Regulations. The United States (US) 128 Federal Aviation Administration (FAA) has published a Notice of 129 Proposed Rule Making [NPRM] and has described the key role that UAS 130 RID plays in UAS Traffic Management (UTM) in [FAACONOPS] (especially 131 Section 2.6). CAAs currently (2020) promulgate performance-based 132 regulations that do not specify techniques, but rather cite industry 133 consensus technical standards as acceptable means of compliance. 135 ASTM International, Technical Committee F38 (UAS), Subcommittee 136 F38.02 (Aircraft Operations), Work Item WK65041, developed ASTM 137 F3411-19 [F3411-19] Standard Specification for Remote ID and Tracking 138 (early drafts are freely available as [OpenDroneID] specifications). 139 It defines two means of UAS RID: 141 Network RID defines a set of information for UAS to make available 142 globally indirectly via the Internet, through servers that can be 143 queried by Observers. 145 Broadcast RID defines a set of messages for UA to transmit locally 146 directly one-way over Bluetooth or Wi-Fi, to be received in real 147 time by local Observers. 149 The same information must be provided via both means. The 150 presentation may differ, as Network RID defines a data dictionary, 151 whereas Broadcast RID defines message formats (which carry items from 152 that same data dictionary). The frequency with which it is sent may 153 differ, as Network RID can accommodate Observer queries asynchronous 154 to UAS updates (which generally need be sent only when information, 155 such as GCS location, changes), whereas Broadcast RID depends upon 156 Observers receiving UA messages at the time they are transmitted. 157 Network RID depends upon Internet connectivity in several segments 158 from the UAS to each Observer. Broadcast RID should need Internet 159 (or other Wide Area Network) connectivity only for UAS registry 160 information lookup using the directly locally received UAS Identifier 161 (UAS ID) as a key. Broadcast RID does not assume IP connectivity of 162 UAS; messages are encapsulated by the UA without IP, directly in 163 Bluetooth or WiFi link layer frames. 165 [F3411-19] specifies three UAS ID types: 167 TYPE-1 A static, manufacturer assigned, hardware serial number per 168 ANSI/CTA-2063-A "Small Unmanned Aerial System Serial Numbers" 169 [CTA2063A]. 171 TYPE-2 A CAA assigned (presumably static) ID. 173 TYPE-3 A UTM system assigned UUID [RFC4122], which can but need not 174 be dynamic. 176 The EU allows only Type 1. The US allows Types 1 and 3, but requires 177 Type 3 IDs (if used) each to be used only once (for a single UAS 178 flight, which in the context of UTM is called an "operation"). The 179 EU also requires an operator registration number (an additional 180 identifier distinct from the UAS ID) that can be carried in an 181 [F3411-19] optional Operator ID message. As yet apparently there are 182 no CAA proposals to use Type 2. 184 [F3411-19] Broadcast RID transmits all information as cleartext 185 (ASCII or binary), so static IDs enable trivial correlation of 186 patterns of use, unacceptable in many applications, e.g., package 187 delivery routes of competitors. 189 [Opinion1] and [WG105] cite the Direct Remote Identification 190 previously required and specified, explicitly stating that whereas 191 Direct RID is primarily for security purposes, "Electronic 192 Identification" (or the "Network Identification Service" in the 193 context of U-Space) is primarily for safety purposes (e.g. air 194 traffic management, especially hazards deconfliction) and also is 195 allowed to be used for other purposes such as support of efficient 196 operations. These emerging standards allow the security and safety 197 oriented systems to be separate or merged. In addition to mandating 198 both Broadcast and Network one-way to Observers, they will use V2V to 199 other UAS (also likely to and/or from some manned aircraft). 201 Security oriented UAS RID regulations essentially have two goals: 202 enable the general public to obtain and record an opaque ID for any 203 observed UA, which they can then report to authorities; enable 204 authorities, from such an ID, to look up information about the UAS 205 and its operator, especially location. Safety oriented UAS RID has 206 stronger requirements. Aviation community SDOs set a higher bar for 207 safety than for security, especially with respect to reliability. 209 1.2. Intended Use 211 An ID is not an end in itself; it exists to enable lookups and 212 provision of services complementing mere identification. 214 Minimal specified information must be made available to the public; 215 access to other data, e.g., UAS operator Personally Identifiable 216 Information (PII), must be limited to strongly authenticated 217 personnel, properly authorized per policy. The balance between 218 privacy and transparency remains a subject for public debate and 219 regulatory action; DRIP can only offer tools to expand the achievable 220 trade space and enable trade-offs within that space. [F3411-19] 221 specifies only how to get the UAS ID to the Observer; how the 222 Observer can perform these lookups, and how the registries first can 223 be populated with information, is unspecified. 225 Using UAS RID to facilitate vehicular (V2X) communications and 226 applications such as Detect And Avoid (DAA), which would impose 227 tighter latency bounds than RID itself, is an obvious possibility, 228 explicitly contemplated in the FAA NPRM. However, applications of 229 RID beyond RID itself have been omitted from [F3411-19]; DAA has been 230 explicitly declared out of scope in ASTM working group discussions, 231 based on a distinction between RID as a security standard vs DAA as a 232 safety application. Although dynamic establishment of secure 233 communications between the Observer and the UAS pilot seems to have 234 been contemplated by the FAA UAS ID and Tracking Aviation Rulemaking 235 Committee (ARC) in their [Recommendations], it is not addressed in 236 any of the subsequent proposed regulations or technical 237 specifications. 239 The need for near-universal deployment of UAS RID is pressing. This 240 implies the need to support use by Observers of already ubiquitous 241 mobile devices (typically smartphones and tablets). Anticipating 242 likely CAA requirements to support legacy devices, especially in 243 light of [Recommendations], [F3411-19] specifies that any UAS sending 244 Broadcast RID over Bluetooth must do so over Bluetooth 4, regardless 245 of whether it also does so over newer versions; as UAS sender devices 246 and Observer receiver devices are unpaired, this implies extremely 247 short "advertisement" (beacon) frames. 249 UA onboard RID devices are severely constrained in Cost ($), Size, 250 Weight and Power ($SWaP). Cost is a significant impediment to the 251 necessary near-universal adoption of UAS send and Observer receive 252 RID capabilities. $SWaP is a burden not only on the designers of new 253 UA for production and sale, but also on owners of existing UA that 254 must be retrofit. Radio Controlled (RC) aircraft modelers, "hams" 255 who use licensed amateur radio frequencies to control UAS, drone 256 hobbyists and others who custom build UAS all need means of 257 participating in UAS RID, sensitive to both generic $SWaP and 258 application-specific considerations. 260 To accommodate the most severely constrained cases, all these 261 conspire to motivate system design decisions, especially for the 262 Broadcast RID data link, which complicate the protocol design 263 problem: one-way links; extremely short packets; and Internet- 264 disconnected operation of UA onboard devices. Internet-disconnected 265 operation of Observer devices has been deemed by ASTM F38.02 too 266 infrequent to address, but for some users is important and presents 267 further challenges. 269 Despite work by regulators and Standards Development Organizations 270 (SDOs), there are substantial gaps in UAS standards generally and UAS 271 RID specifically. [Roadmap] catalogs UAS related standards, ongoing 272 standardization activities and gaps (as of early 2020); Section 7.8 273 catalogs those related specifically to UAS RID. 275 Given not only packet payload length and bandwidth, but also 276 processing and storage within the $SWaP constraints of very small 277 (e.g. consumer toy) UA, heavyweight cryptographic security protocols 278 are infeasible, yet trustworthiness of UAS RID information is 279 essential. Under [F3411-19], even the most basic datum, the UAS ID 280 string (typically number) itself can be merely an unsubstantiated 281 claim. Observer devices being ubiquitous, thus popular targets for 282 malware or other compromise, cannot be generally trusted (although 283 the user of each device is compelled to trust that device, to some 284 extent); a "fair witness" functionality (inspired by [Stranger]) is 285 desirable. 287 1.3. DRIP Scope 289 DRIP's initial goal is to make RID immediately actionable, in both 290 Internet and local-only connected scenarios (especially emergencies), 291 in severely constrained UAS environments, balancing legitimate (e.g., 292 public safety) authorities' Need To Know trustworthy information with 293 UAS operators' privacy. By "immediately actionable" is meant 294 information of sufficient precision, accuracy, timeliness, etc. for 295 an Observer to use it as the basis for immediate decisive action, 296 whether that be to trigger a defensive counter-UAS system, to attempt 297 to initiate communications with the UAS operator, to accept the 298 presence of the UAS in the airspace where/when observed as not 299 requiring further action, or whatever, with potentially severe 300 consequences of any action or inaction chosen based on that 301 information. For further explanation of the concept of immediate 302 actionability, see [ENISACSIRT]. Note that UAS RID must achieve near 303 universal adoption, but DRIP can add value even if only selectively 304 deployed, as those with jurisdiction over more sensitive airspace 305 volumes may set a higher than generally mandated RID bar for flight 306 in those volumes. Potential follow-on goals may extend beyond 307 providing timely and trustworthy identification data, to using it to 308 enable identity-oriented networking of UAS. 310 DRIP (originally Trustworthy Multipurpose Remote Identification, TM- 311 RID) potentially could be applied to verifiably identify other types 312 of registered things reported to be in specified physical locations, 313 but the urgent motivation and clear initial focus is UAS. Existing 314 Internet resources (protocol standards, services, infrastructure, and 315 business models) should be leveraged. A natural Internet based 316 architecture for UAS RID conforming to proposed regulations and 317 external technical standards is described in a companion architecture 318 document [drip-architecture] and elaborated in other DRIP documents; 319 this document describes only relevant requirements and defines 320 terminology for the set of DRIP documents. 322 2. Terms and Definitions 323 2.1. Requirements Terminology 325 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 326 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 327 "OPTIONAL" in this document are to be interpreted as described in BCP 328 14 [RFC2119] [RFC8174] when, and only when, they appear in all 329 capitals, as shown here. 331 2.2. Definitions 333 This section defines a set of terms expected to be used in DRIP 334 documents. This list is meant to be the DRIP terminology reference. 335 Some of the terms listed below are not used in this document. 336 [RFC4949] provides a glossary of Internet security terms that should 337 be used where applicable. In the UAS community, the plural form of 338 acronyms generally is the same as the singular form, e.g. Unmanned 339 Aircraft System (singular) and Unmanned Aircraft Systems (plural) are 340 both represented as UAS. On this and other terminological issues, to 341 encourage comprehension necessary for adoption of DRIP by the 342 intended user community, that community's norms are respected herein, 343 and definitions are quoted in cases where they have been found in 344 that community's documents. Most of the listed terms are from that 345 community (even if specific source documents are not cited); any that 346 are DRIP-specific or invented by the authors of this document are 347 marked "(DRIP)". 349 $SWaP 350 Cost, Size, Weight and Power. (DRIP) 352 AAA 353 Attestation, Authentication, Authorization, Access Control, 354 Accounting, Attribution, Audit, or any subset thereof (uses differ 355 by application, author and context). (DRIP) 357 ABDAA 358 AirBorne DAA. Accomplished using systems onboard the aircraft 359 involved. Also known as "self-separation". 361 ADS-B 362 Automatic Dependent Surveillance - Broadcast. "ADS-B Out" 363 equipment obtains aircraft position from other on-board systems 364 (typically GNSS) and periodically broadcasts it to "ADS-B In" 365 equipped entities, including other aircraft, ground stations and 366 satellite based monitoring systems. 368 AGL 369 Above Ground Level. Relative altitude, above the variously 370 defined local ground level, typically of an UA, measured in feet 371 or meters. Should be explicitly specified as either barometric 372 (pressure) or geodetic (GNSS). 374 ATC 375 Air Traffic Control. Explicit flight direction to pilots from 376 ground controllers. Contrast with ATM. 378 ATM 379 Air Traffic Management. A broader functional and geographic scope 380 and/or a higher layer of abstraction than ATC. "The dynamic, 381 integrated management of air traffic and airspace including air 382 traffic services, airspace management and air traffic flow 383 management - safely, economically and efficiently - through the 384 provision of facilities and seamless services in collaboration 385 with all parties and involving airborne and ground-based 386 functions." [ICAOATM] 388 Authentication Message 389 [F3411-19] Message Type 2. Provides framing for authentication 390 data, only. Optional per [F3411-19] but may be required by 391 regulations. 393 Basic ID Message 394 [F3411-19] Message Type 0. Provides UA Type, UAS ID Type and UAS 395 ID, only. Mandatory per [F3411-19]. 397 B-LOS 398 Beyond Line Of Sight (LOS). Term to be avoided due to ambiguity. 399 See LOS. 401 BV-LOS 402 Beyond Visual Line Of Sight (V-LOS). See V-LOS. 404 CAA 405 Civil Aviation Authority. Two examples are the United States 406 Federal Aviation Administration (FAA) and the European Union 407 Aviation Safety Agency (EASA). 409 C2 410 Command and Control. A set of organizational and technical 411 attributes and processes that employs human, physical, and 412 information resources to solve problems and accomplish missions. 413 Previously primarily used in military contexts. In the UAS 414 context, typically refers to the link between GCS and UA over 415 which the former controls the latter. 417 DAA 418 Detect And Avoid, formerly Sense And Avoid (SAA). A means of 419 keeping aircraft "well clear" of each other for safety. 421 Direct RID 422 Direct Remote Identification. Per [Delegated], "a system that 423 ensures the local broadcast of information about a UA in 424 operation, including the marking of the UA, so that this 425 information can be obtained without physical access to the UA". 426 Requirement could be met with ASTM Broadcast RID: Basic ID message 427 with UAS ID Type 1; Location/Vector message; Operator ID message; 428 System Message. Corresponds roughly to the Broadcast RID portion 429 of FAA NPRM Standard RID. 431 DSS 432 Discovery and Synchronization Service. Formerly Inter-USS. The 433 UTM system overlay network backbone. Most importantly, it enables 434 one USS to learn which other USS have UAS operating in a given 4-D 435 airspace volume, for deconfliction and surveillance; but it also 436 supports other functions. 438 E2E 439 End to End. 441 EUROCAE 442 European Organisation for Civil Aviation Equipment. Aviation SDO, 443 originally European, now with broader membership. Cooperates 444 extensively with RTCA. 446 GBDAA 447 Ground Based DAA. Accomplished with the aid of ground based 448 functions. 450 GCS 451 Ground Control Station. The part of the UAS that the remote pilot 452 uses to exercise C2 over the UA, whether by remotely exercising UA 453 flight controls to fly the UA, by setting GPS waypoints, or 454 otherwise directing its flight. 456 GNSS 457 Global Navigation Satellite System. Satellite based timing and/or 458 positioning with global coverage, often used to support 459 navigation. 461 GPS 462 Global Positioning System. A specific GNSS, but in this context, 463 the term is typically misused in place of the more generic term 464 GNSS. 466 GRAIN 467 Global Resilient Aviation Interoperable Network. ICAO managed 468 IPv6 overlay internetwork per IATF, dedicated to aviation (but not 469 just aircraft). Currently in design. 471 IATF 472 International Aviation Trust Framework. ICAO effort to develop a 473 resilient and secure by design framework for networking in support 474 of all aspects of aviation. 476 ICAO 477 International Civil Aviation Organization. A United Nations 478 specialized agency that develops and harmonizes international 479 standards relating to aviation. 481 LAANC 482 Low Altitude Authorization and Notification Capability. Supports 483 ATC authorization requirements for UAS operations: remote pilots 484 can apply to receive a near real-time authorization for operations 485 under 400 feet in controlled airspace near airports. US partial 486 stopgap until UTM comes. 488 Limited RID 489 Per the FAA NPRM, a mode of operation that must use Network RID, 490 must not use Broadcast RID, and must provide pilot/GCS location 491 only (not UA location). This mode is only allowed for UA that 492 neither require (due to e.g. size) nor are equipped for Standard 493 RID, operated within V-LOS and within 400 feet of the pilot, below 494 400 feet AGL, etc. 496 Location/Vector Message 497 [F3411-19] Message Type 1. Provides UA location, altitude, 498 heading and speed, only. Mandatory per [F3411-19]. 500 LOS 501 Line Of Sight. An adjectival phrase describing any information 502 transfer that travels in a nearly straight line (e.g. 503 electromagnetic energy, whether in the visual light, RF or other 504 frequency range) and is subject to blockage. A term to be avoided 505 due to ambiguity, in this context, between RF-LOS and V-LOS. 507 MSL 508 Mean Sea Level. Relative altitude, above the variously defined 509 mean sea level, typically of an UA (but in FAA NPRM also for a 510 GCS), measured in or meters. Should be explicitly specified as 511 either barometric (pressure) or geodetic (GNSS). 513 Net-RID DP 514 Network RID Display Provider. Logical entity that aggregates data 515 from Net-RID SPs as needed in response to user queries regarding 516 UAS operating within specified airspace volumes, to enable display 517 by a user application on a user device. Potentially could provide 518 not only information sent via UAS RID but also information 519 retrieved from UAS RID registries, or information beyond UAS RID, 520 regarding subscribed USS. Under the FAA NPRM, not recognized as a 521 distinct entity, but a service provided by USS, including Public 522 Safety USS that may exist primarily for this purpose rather than 523 to manage any subscribed UAS. 525 Net-RID SP 526 Network RID Service Provider. Logical entity that collects RID 527 messages from UAS and responds to NetRID-DP queries for 528 information on UAS of which it is aware. Under the FAA NPRM, the 529 USS to which the UAS is subscribed ("Remote ID USS"). 531 Network Identification Service 532 EU regulatory requirement for Network RID. Requirement could be 533 met with ASTM Network RID: Basic ID message with UAS ID Type 1; 534 Location/Vector message; Operator ID message; System Message. 535 Corresponds roughly to the Network RID portion of FAA NPRM 536 Standard RID. 538 Observer 539 An entity (typically but not necessarily an individual human) who 540 has directly or indirectly observed an UA and wishes to know 541 something about it, starting with its ID. An observer typically 542 is on the ground and local (within V-LOS of an observed UA), but 543 could be remote (observing via Network RID or other surveillance), 544 operating another UA, aboard another aircraft, etc. (DRIP) 546 Operation 547 A flight, or series of flights of the same mission, by the same 548 UAS, in the same airspace volume, separated by at most brief 549 ground intervals. 551 Operator 552 "A person, organization or enterprise engaged in or offering to 553 engage in an aircraft operation." [ICAOUTM] 555 Operator ID Message 556 [F3411-19] Message Type 5. Provides CAA issued Operator ID, only. 557 Operator ID is distinct from UAS ID. Optional per [F3411-19] but 558 may be required by regulations. 560 PIC 561 Pilot In Command. "The pilot designated by the operator, or in 562 the case of general aviation, the owner, as being in command and 563 charged with the safe conduct of a flight." [ICAOATM] 565 PII 566 Personally Identifiable Information. In this context, typically 567 of the UAS Operator, Pilot In Command (PIC) or Remote Pilot, but 568 possibly of an Observer or other party. 570 Remote Pilot 571 A pilot using a GCS to exercise proximate control of an UA. 572 Either the PIC or under the supervision of the PIC. 574 RF-LOS 575 RF LOS. Typically used in describing operation of a direct radio 576 link between a GCS and the UA under its control, potentially 577 subject to blockage by foliage, structures, terrain or other 578 vehicles, but less so than V-LOS. 580 RTCA 581 Radio Technical Commission for Aeronautics. US aviation SDO. 582 Cooperates extensively with EUROCAE. 584 Self-ID Message 585 [F3411-19] Message Type 3. Provides a 1 byte descriptor and 23 586 byte ASCII free text field, only. Expected to be used to provide 587 context on the operation, e.g. mission intent. Optional unless 588 required by the cognizant CAA. Optional per [F3411-19] but may be 589 required by regulations. 591 Standard RID 592 Per the FAA NPRM, a mode of operation that must use both Network 593 RID (if Internet connectivity is available at the time in the 594 operating area) and Broadcast RID (always and everywhere), and 595 must provide both pilot/GCS location and UA location. This mode 596 is required for UAS that exceed the allowed envelope (e.g. size, 597 range) of Limited RID and for all UAS equipped for Standard RID 598 (even if operated within parameters that would otherwise permit 599 Limited RID). The Broadcast RID portion corresponds roughly to EU 600 Direct RID; the Network RID portion corresponds roughly to EU 601 Network Identification Service. 603 SDO 604 Standards Development Organization. ASTM, IETF, et al. 606 SDSP 607 Supplemental Data Service Provider. An entity that participates 608 in the UTM system, but provides services beyond those specified as 609 basic UTM system functions. E.g., provides weather data. 611 System Message 612 [F3411-19] Message Type 4. Provides general UAS information, 613 including remote pilot location, multiple UA group operational 614 area, etc. Optional per [F3411-19] but may be required by 615 regulations. 617 U-space 618 EU concept and emerging framework for integration of UAS into all 619 classes of airspace, specifically including high density urban 620 areas, sharing airspace with manned aircraft. 622 UA 623 Unmanned Aircraft. An aircraft which is intended to operate with 624 no pilot on board. In popular parlance, "drone". 626 UAS 627 Unmanned Aircraft System. Composed of UA, all required on-board 628 subsystems, payload, control station, other required off-board 629 subsystems, any required launch and recovery equipment, all 630 required crew members, and C2 links between UA and control 631 station. 633 UAS ID 634 UAS identifier. Although called "UAS ID", unique to the UA: 635 neither to the operator (as previous registration numbers have 636 been assigned), nor to the combination of GCS and UA that comprise 637 the UAS. Per [F3411-19]: maximum length of 20 bytes; see 638 Section 1.1, Paragraph 7 for currently defined values. 640 UAS ID Type 641 Identifier type index. Per [F3411-19], 4 bits, values 0-3 already 642 specified. 644 UAS RID 645 UAS Remote Identification. System for identifying UA during 646 flight by other parties. 648 UAS RID Verification Service 649 System component designed to handle the authentication 650 requirements of RID by offloading verification to a web hosted 651 service. 653 USS 654 UAS Service Supplier. "A USS is an entity that assists UAS 655 Operators with meeting UTM operational requirements that enable 656 safe and efficient use of airspace" and "... provide services to 657 support the UAS community, to connect Operators and other entities 658 to enable information flow across the USS Network, and to promote 659 shared situational awareness among UTM participants" per 660 [FAACONOPS]. 662 UTM 663 UAS Traffic Management. Per ICAO, "A specific aspect of air 664 traffic management which manages UAS operations safely, 665 economically and efficiently through the provision of facilities 666 and a seamless set of services in collaboration with all parties 667 and involving airborne and ground-based functions." In the US, 668 per FAA, a "traffic management" ecosystem for "uncontrolled" low 669 altitude UAS operations, separate from, but complementary to, the 670 FAA's ATC system for "controlled" operations of manned aircraft. 672 V2V 673 Vehicle-to-Vehicle. Originally communications between 674 automobiles, now extended to apply to communications between 675 vehicles generally. Often, together with Vehicle-to- 676 Infrastructure (V2I) etc., generalized to V2X. 678 V-LOS 679 Visual LOS. Typically used in describing operation of an UA by a 680 "remote" pilot who can clearly directly (without video cameras or 681 any other aids other than glasses or under some rules binoculars) 682 see the UA and its immediate flight environment. Potentially 683 subject to blockage by foliage, structures, terrain or other 684 vehicles, more so than RF-LOS. 686 3. UAS RID Problem Space 688 UA may be fixed wing Short Take-Off and Landing (STOL), rotary wing 689 (e.g., helicopter) Vertical Take-Off and Landing (VTOL), or hybrid. 690 They may be single- or multi-engine. The most common today are 691 multicopters: rotary wing, multi engine. The explosion in UAS was 692 enabled by hobbyist development, for multicopters, of advanced flight 693 stability algorithms, enabling even inexperienced pilots to take off, 694 fly to a location of interest, hover, and return to the take-off 695 location or land at a distance. UAS can be remotely piloted by a 696 human (e.g., with a joystick) or programmed to proceed from GNSS 697 waypoint to waypoint in a weak form of autonomy; stronger autonomy is 698 coming. UA are "low observable": they typically have small radar 699 cross sections; they make noise quite noticeable at short range but 700 difficult to detect at distances they can quickly close (500 meters 701 in under 17 seconds at 60 knots); they typically fly at low altitudes 702 (for the small UAS to which RID applies in the US, under 400 feet 703 AGL); they are highly maneuverable so can fly under trees and between 704 buildings. 706 UA can carry payloads including sensors, cyber and kinetic weapons, 707 or can be used themselves as weapons by flying them into targets. 708 They can be flown by clueless, careless or criminal operators. Thus 709 the most basic function of UAS RID is "Identification Friend or Foe" 710 (IFF) to mitigate the significant threat they present. Numerous 711 other applications can be enabled or facilitated by RID: consider the 712 importance of identifiers in many Internet protocols and services. 714 Network RID from the UA itself (rather than from its GCS) and 715 Broadcast RID require one or more wireless data links from the UA, 716 but such communications are challenging due to $SWaP constraints and 717 low altitude flight amidst structures and foliage over terrain. 719 Disambiguation of multiple UA flying in close proximity may be very 720 challenging, even if each is reporting its identity, position and 721 velocity as accurately as it can. 723 3.1. Network RID 725 Network RID is essentially publish-subscribe-query. First the UAS 726 operator pushes an operation plan to the USS that will serve that UAS 727 for that operation, for deconfliction with other operations; assuming 728 the plan receives approval and the operation commences, that UAS 729 periodically pushes location/status updates to that USS (call it 730 USS#1), which serves as the Network RID Service Provider (Net-RID SP) 731 for that operation. If users of any other USS (whether they be other 732 UAS operators or Observers) develop an interest in any 4-D airspace 733 volume containing that UAS operation, their USS learns, via the UTM 734 Discovery and Synchronization Service (DSS), that USS#1 has such 735 operations. Observers or other interested parties can then 736 subscribe, via their USS, which serves as a Network RID Display 737 Provider (Net-RID DP) for that surveillance session. The Net-RID SP 738 (USS#1) will then publish updates of the UAS position/status to all 739 subscribed Net-RID DP, which in turn will deliver the surveillance 740 information to their users via unspecified (but expected to be web 741 browser based) means. 743 Network RID has several variants. The UA may have persistent onboard 744 Internet connectivity, in which case it can consistently source RID 745 information directly over the Internet. The UA may have intermittent 746 onboard Internet connectivity, in which case the GCS must source RID 747 information whenever the UA itself is offline. The UA may not have 748 Internet connectivity of its own, but have instead some other form of 749 communications to another node that can relay RID information to the 750 Internet; this would typically be the GCS (which to perform its 751 function must know where the UA is, although C2 link outages do 752 occur). 754 The UA may have no means of sourcing RID information, in which case 755 the GCS must source it; this is typical under FAA NPRM Limited RID 756 proposed rules, which require providing the location of the GCS (not 757 that of the UA). In the extreme case, this could be the pilot using 758 a web browser/application to designate, to an UAS Service Supplier 759 (USS) or other UTM entity, a time-bounded airspace volume in which an 760 operation will be conducted; this may impede disambiguation of ID if 761 multiple UAS operate in the same or overlapping spatio-temporal 762 volumes. 764 In most cases in the near term, if the RID information is fed to the 765 Internet directly by the UA or GCS, the first hop data links will be 766 cellular Long Term Evolution (LTE) or Wi-Fi, but provided the data 767 link can support at least UDP/IP and ideally also TCP/IP, its type is 768 generally immaterial to the higher layer protocols. An UAS as the 769 ultimate source of Network RID information feeds an USS acting as a 770 Network RID Service Provider (Net-RID SP), which essentially proxies 771 for that and other sources; an observer or other ultimate consumer of 772 Network RID information obtains it from a Network RID Display 773 Provider (Net-RID DP), which aggregates information from multiple 774 Net-RID SPs to offer coverage of an airspace volume of interest. 775 Network RID Service and Display providers are expected to be 776 implemented as servers in well-connected infrastructure, accessible 777 via typical means such as web APIs/browsers. 779 Network RID is the more flexible and less constrained of the defined 780 UAS RID means, but is only partially specified in [F3411-19]. It is 781 presumed that IETF efforts supporting Broadcast RID (see next 782 section) can be easily generalized for Network RID. 784 3.2. Broadcast RID 786 [F3411-19] specifies three Broadcast RID data links: Bluetooth 4.X; 787 Bluetooth 5.X Long Range; and Wi-Fi with Neighbor Awareness 788 Networking (NAN). For compliance with [F3411-19], an UA must 789 broadcast (using advertisement mechanisms where no other option 790 supports broadcast) on at least one of these; if broadcasting on 791 Bluetooth 5.x, it is also required concurrently to do so on 4.x 792 (referred to in [F3411-19] as Bluetooth Legacy). 794 The selection of the Broadcast media was driven by research into what 795 is commonly available on 'ground' units (smartphones and tablets) and 796 what was found as prevalent or 'affordable' in UA. Further, there 797 must be an Application Programming Interface (API) for the observer's 798 receiving application to have access to these messages. As yet only 799 Bluetooth 4.X support is readily available, thus the current focus is 800 on working within the 26 byte limit of the Bluetooth 4.X "Broadcast 801 Frame" transmitted on beacon channels. After nominal overheads, this 802 limits the UAS ID string to a maximum length of 20 bytes, and 803 precludes the same frame carrying position, velocity and other 804 information that should be bound to the UAS ID, much less strong 805 authentication data. This requires segmentation ("paging") of longer 806 messages or message bundles ("Message Pack"), and/or correlation of 807 short messages (anticipated by ASTM to be done on the basis of 808 Bluetooth 4 MAC address, which is weak and unverifiable). 810 3.3. DRIP Focus 812 DRIP will focus on making information obtained via UAS RID 813 immediately usable: 815 1. by making it trustworthy (despite the severe constraints of 816 Broadcast RID); 818 2. by enabling verification that an UAS is registered, and if so, in 819 which registry (for classification of trusted operators on the 820 basis of known registry vetting, even by observers lacking 821 Internet connectivity at observation time); 823 3. by facilitating independent reports of UA's aeronautical data 824 (location, velocity, etc.) to confirm or refute the operator 825 self-reports upon which UAS RID and UTM tracking are based; 827 4. by enabling instant establishment, by authorized parties, of 828 secure communications with the remote pilot. 830 Any UA can assert any ID using the [F3411-19] required Basic ID 831 message, which lacks any provisions for verification. The Position/ 832 Vector message likewise lacks provisions for verification, and does 833 not contain the ID, so must be correlated somehow with a Basic ID 834 message: the developers of [F3411-19] have suggested using the MAC 835 addresses, but these may be randomized by the operating system stack 836 to avoid the adversarial correlation problems of static identifiers. 838 The [F3411-19] optional Authentication Message specifies framing for 839 authentication data, but does not specify any authentication method, 840 and the maximum length of the specified framing is too short for 841 conventional digital signatures and far too short for conventional 842 certificates. The one-way nature of Broadcast RID precludes 843 challenge-response security protocols (e.g., observers sending nonces 844 to UA, to be returned in signed messages). An observer would be 845 seriously challenged to validate the asserted UAS ID or any other 846 information about the UAS or its operator looked up therefrom. 848 Further, [F3411-19] provides very limited choices for an observer to 849 communicate with the pilot, e.g., to request further information on 850 the UAS operation or exit from an airspace volume in an emergency. 851 The System Message provides the location of the pilot/GCS, so an 852 observer could physically go to the asserted GCS location to look for 853 the remote pilot. An observer with Internet connectivity could look 854 up operator PII in a registry, then call a phone number in hopes 855 someone who can immediately influence the UAS operation will answer 856 promptly during that operation. 858 Thus complementing [F3411-19] with protocols enabling strong 859 authentication, preserving operator privacy while enabling immediate 860 use of information by authorized parties, is critical to achieve 861 widespread adoption of a RID system supporting safe and secure 862 operation of UAS. 864 4. Requirements 866 4.1. General 868 GEN-1 Provable Ownership: DRIP MUST enable verification that the 869 UAS ID asserted in the Basic ID message is that of the actual 870 current sender of the message (i.e. the message is not a 871 replay attack or other spoof, authenticating e.g. by 872 verifying an asymmetric cryptographic signature using a 873 sender provided public key from which the asserted ID can be 874 at least partially derived), even on an observer device 875 lacking Internet connectivity at the time of observation. 877 GEN-2 Provable Binding: DRIP MUST enable binding all other 878 [F3411-19] messages from the same actual current sender to 879 the UAS ID asserted in the Basic ID message. 881 GEN-3 Provable Registration: DRIP MUST enable verification that the 882 UAS ID is in a registry and identification of which one, even 883 on an observer device lacking Internet connectivity at the 884 time of observation; with UAS ID Type 3, the same sender may 885 have multiple IDs, potentially in different registries, but 886 each ID must clearly indicate in which registry it can be 887 found. 889 GEN-4 Readability: DRIP MUST enable information (regulation 890 required elements, whether sent via UAS RID or looked up in 891 registries) to be read and utilized by both humans and 892 software. 894 GEN-5 Gateway: DRIP MUST enable Broadcast RID -> Network RID 895 application layer gateways to stamp messages with precise 896 date/time received and receiver location, then relay them to 897 a network service (e.g. SDSP or distributed ledger), to 898 support three objectives: mark up a RID message with where 899 and when it was actually received (which may agree or 900 disagree with the self-report in the set of messages); defend 901 against replay attacks; and support optional SDSP services 902 such as multilateration (to complement UAS position self- 903 reports with independent measurements). 905 GEN-6 Finger: DRIP MUST enable dynamically establishing, with AAA, 906 per policy, E2E strongly encrypted communications with the 907 UAS RID sender and entities looked up from the UAS ID, 908 including at least the remote pilot and USS. 910 GEN-7 QoS: DRIP MUST enable policy based specification of 911 performance and reliability parameters, such as maximum 912 message transmission intervals and delivery latencies. 914 GEN-8 Mobility: DRIP MUST support physical and logical mobility of 915 UA, GCS and Observers. DRIP SHOULD support mobility of 916 essentially all participating nodes (UA, GCS, Observers, Net- 917 RID SP, Net-RID DP, Private Registry, SDSP). 919 GEN-9 Multihoming: DRIP MUST support multihoming of UA and GCS, for 920 make-before-break smooth handoff and resiliency against path/ 921 link failure. DRIP SHOULD support multihoming of essentially 922 all participating nodes. 924 GEN-10 Multicast: DRIP SHOULD support multicast for efficient and 925 flexible publish-subscribe notifications, e.g., of UAS 926 reporting positions in designated sensitive airspace volumes. 928 GEN-11 Management: DRIP SHOULD support monitoring of the health and 929 coverage of Broadcast and Network RID services. 931 Requirements imposed either by regulation or in [F3411-19] are not 932 reiterated here, but drive many of the numbered requirements listed 933 here. E.g. the QoS requirement currently would be satisfied 934 generally by ensuring information refresh rates of at least 1 Hertz, 935 with latencies no greater than 1 second, at least 80% of the time; 936 but these numbers may change, so instead the DRIP requirement is that 937 they be user policy specifiable. Note that the "provable binding" 938 requirement addresses the MAC address correlation problem of 939 [F3411-19] noted above. Note that the "gateway" requirement is the 940 only instance in which DRIP transports [F3411-19] messages; most of 941 DRIP pertains to the authentication of such messages and the 942 identifier carried within them. 944 4.2. Identifier 946 ID-1 Length: The DRIP (UAS) entity (remote) identifier must be no 947 longer than 20 bytes (per [F3411-19] to fit in a Bluetooth 4 948 advertisement payload). 950 ID-2 Registry ID: The DRIP identifier MUST be sufficient to identify 951 a registry in which the (UAS) entity identified therewith is 952 listed. 954 ID-3 Entity ID: The DRIP identifier MUST be sufficient to enable 955 lookup of other data associated with the (UAS) entity 956 identified therewith in that registry. 958 ID-4 Uniqueness: The DRIP identifier MUST be unique within a to-be- 959 defined scope. 961 ID-5 Non-spoofability: The DRIP identifier MUST be non-spoofable 962 within the context of Remote ID broadcast messages (some 963 collection of messages provides proof of UA ownership of ID). 965 ID-6 Unlinkability: A DRIP UAS ID MUST NOT facilitate adversarial 966 correlation over multiple UAS operations; this may be 967 accomplished e.g. by limiting each identifier to a single use, 968 but if so, the UAS ID MUST support well-defined scalable timely 969 registration methods. 971 Note that Registry ID and Entity ID are requirements on a single DRIP 972 entity Identifier, not separate (types of) ID. In the most common 973 use case, the Entity will be the UA, and the DRIP Identifier will be 974 the UAS ID; however, other entities may also benefit from having DRIP 975 identifiers, so the Entity type is not prescribed here. 977 Whether a UAS ID is generated by the operator, GCS, UA, USS or 978 registry, or some collaboration thereamong, is unspecified; however, 979 there must be agreement on the UAS ID among these entities. 981 4.3. Privacy 983 PRIV-1 Confidential Handling: DRIP MUST enable confidential handling 984 of private information (i.e., any and all information 985 designated by neither cognizant authority nor the information 986 owner as public, e.g., personal data). 988 PRIV-2 Encrypted Transport: DRIP MUST enable selective strong 989 encryption of private data in motion in such a manner that 990 only authorized actors can recover it. If transport is via 991 IP, then encryption MUST be end-to-end, at or above the IP 992 layer. DRIP MUST NOT encrypt safety critical data to be 993 transmitted over Broadcast RID in any situation where it is 994 unlikely that local observers authorized to access the 995 plaintext will be able to decrypt it or obtain it from a 996 service able to decrypt it. DRIP MUST NOT encrypt data when/ 997 where doing so would conflict with applicable regulations or 998 CAA policies/procedures, i.e. DRIP MUST support configurable 999 disabling of encryption. 1001 PRIV-3 Encrypted Storage: DRIP SHOULD facilitate selective strong 1002 encryption of private data at rest in such a manner that only 1003 authorized actors can recover it. 1005 PRIV-4 Public/Private Designation: DRIP SHOULD facilitate 1006 designation, by cognizant authorities and information owners, 1007 which information is public and which private. By default, 1008 all information required to be transmitted via Broadcast RID, 1009 even when actually sent via Network RID, is assumed to be 1010 public; all other information contained in registries for 1011 lookup using the UAS ID is assumed to be private. 1013 PRIV-5 Pseudonymous Rendezvous: DRIP MAY enable mutual discovery of 1014 and communications among participating UAS operators whose UA 1015 are in 4-D proximity, using the UAS ID without revealing 1016 pilot/operator identity or physical location. 1018 How information is stored on end systems is out of scope for DRIP. 1019 Encouraging privacy best practices, including end system storage 1020 encryption, by facilitating it with protocol design reflecting such 1021 considerations, is in scope. Similar logic applies to methods for 1022 designating information as public or private. 1024 The privacy requirements above are for DRIP, neither for [F3411-19] 1025 (which requires obfuscation of location to any Network RID subscriber 1026 engaging in wide area surveillance, limits data retention periods, 1027 etc. in the interests of privacy), nor for UAS RID in any specific 1028 jurisdiction (which may have its own regulatory requirements). The 1029 requirements above are also in a sense parameterized: who are the 1030 "authorized actors", how are they designated, how are they 1031 authenticated, etc.? 1033 4.4. Registries 1035 REG-1 Public Lookup: DRIP MUST enable lookup, from the UAS ID, of 1036 information designated by cognizant authority as public, and 1037 MUST NOT restrict access to this information based on identity 1038 of the party submitting the query. 1040 REG-2 Private Lookup: DRIP MUST enable lookup of private information 1041 (i.e., any and all information in a registry, associated with 1042 the UAS ID, that is designated by neither cognizant authority 1043 nor the information owner as public), and MUST, per policy, 1044 enforce AAA, including restriction of access to this 1045 information based on identity of the party submitting the 1046 query. 1048 REG-3 Provisioning: DRIP MUST enable provisioning registries with 1049 static information on the UAS and its operator, dynamic 1050 information on its current operation within the UTM (including 1051 means by which the USS under which the UAS is operating may be 1052 contacted for further, typically even more dynamic, 1053 information), and Internet direct contact information for 1054 services related to the foregoing. 1056 REG-4 AAA Policy: DRIP MUST enable closing the AAA-policy registry 1057 loop by governing AAA per registered policies and 1058 administering policies only via AAA. 1060 5. IANA Considerations 1062 This document does not make any IANA request. 1064 6. Security Considerations 1066 DRIP is all about safety and security, so content pertaining to such 1067 is not limited to this section. Potential vulnerabilities of DRIP 1068 include but are not limited to: 1070 * Sybil attacks 1071 * Confusion created by many spoofed unsigned messages 1073 * Processing overload induced by attempting to verify many spoofed 1074 signed messages (where verification will fail but still consume 1075 cycles) 1077 * Malicious or malfunctioning registries 1079 * Interception of (e.g. Man In The Middle attacks on) registration 1080 messages 1082 * UA impersonation through private key extraction, improper key 1083 sharing or carriage of a small (presumably harmless) UA, e.g. as a 1084 "false flag", by a larger (malicious) UA 1086 7. Privacy and Transparency Considerations 1088 Privacy is closely related to but not synonymous with security, and 1089 conflicts with transparency. Privacy and transparency are important 1090 for legal reasons including regulatory consistency. [EU2018] 1091 [EU2018] states "harmonised and interoperable national registration 1092 systems... should comply with the applicable Union and national law 1093 on privacy and processing of personal data, and the information 1094 stored in those registration systems should be easily accessible." 1096 Privacy and transparency (where essential to security or safety) are 1097 also ethical and moral imperatives. Even in cases where old 1098 practices (e.g. automobile registration plates) could be imitated, 1099 when new applications involving PII (such as UAS RID) are addressed 1100 and newer technologies could enable improving privacy, such 1101 opportunities should not be squandered. Thus it is recommended that 1102 all DRIP documents give due regard to [RFC6973] and more broadly 1103 [RFC8280]. 1105 DRIP information falls into two classes: that which, to achieve the 1106 purpose, must be published openly as cleartext, for the benefit of 1107 any Observer (e.g., the basic UAS ID itself); and that which must be 1108 protected (e.g., PII of pilots) but made available to properly 1109 authorized parties (e.g., public safety personnel who urgently need 1110 to contact pilots in emergencies). How properly authorized parties 1111 are authorized, authenticated, etc. are questions that extend beyond 1112 the scope of DRIP, but DRIP may be able to provide support for such 1113 processes. Classification of information as public or private must 1114 be made explicit and reflected with markings, design, etc. 1115 Classifying the information will be addressed primarily in external 1116 standards; herein it will be regarded as a matter for CAA, registry 1117 and operator policies, for which enforcement mechanisms will be 1118 defined within the scope of DRIP WG and offered. Details of the 1119 protection mechanisms will be provided in other DRIP documents. 1120 Mitigation of adversarial correlation will also be addressed. 1122 8. References 1124 8.1. Normative References 1126 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1127 Requirement Levels", BCP 14, RFC 2119, 1128 DOI 10.17487/RFC2119, March 1997, 1129 . 1131 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1132 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1133 May 2017, . 1135 8.2. Informative References 1137 [cpdlc] Gurtov, A., Polishchuk, T., and M. Wernberg, "Controller- 1138 Pilot Data Link Communication Security", MDPI 1139 Sensors 18(5), 1636, 2018, 1140 . 1142 [CTA2063A] ANSI, "Small Unmanned Aerial Systems Serial Numbers", 1143 September 2019. 1145 [Delegated] 1146 European Union Aviation Safety Agency (EASA), "Commission 1147 Delegated Regulation (EU) 2019/945 of 12 March 2019 on 1148 unmanned aircraft systems and on third-country operators 1149 of unmanned aircraft systems", March 2019. 1151 [drip-architecture] 1152 Card, S., Wiethuechter, A., Moskowitz, R., Zhao, S., and 1153 A. Gurtov, "Drone Remote Identification Protocol (DRIP) 1154 Architecture", Work in Progress, Internet-Draft, draft- 1155 ietf-drip-arch-03, 13 July 2020, 1156 . 1158 [ENISACSIRT] 1159 European Union Agency for Cybersecurity (ENISA), 1160 "Actionable information for Security Incident Response", 1161 November 2014, . 1165 [EU2018] European Parliament and Council, "2015/0277 (COD) PE-CONS 1166 2/18", February 2018. 1168 [F3411-19] ASTM International, "Standard Specification for Remote ID 1169 and Tracking", February 2020, 1170 . 1172 [FAACONOPS] 1173 FAA Office of NextGen, "UTM Concept of Operations v2.0", 1174 March 2020. 1176 [I-D.maeurer-raw-ldacs] 1177 Maeurer, N., Graeupl, T., and C. Schmitt, "L-band Digital 1178 Aeronautical Communications System (LDACS)", Work in 1179 Progress, Internet-Draft, draft-maeurer-raw-ldacs-05, 14 1180 August 2020, 1181 . 1183 [ICAOATM] International Civil Aviation Organization, "Doc 4444: 1184 Procedures for Air Navigation Services: Air Traffic 1185 Management", November 2016. 1187 [ICAOUTM] International Civil Aviation Organization, "Unmanned 1188 Aircraft Systems Traffic Management (UTM) - A Common 1189 Framework with Core Principles for Global Harmonization, 1190 Edition 2", November 2019. 1192 [Implementing] 1193 European Union Aviation Safety Agency (EASA), "Commission 1194 Implementing Regulation (EU) 2019/947 of 24 May 2019 on 1195 the rules and procedures for the operation of unmanned 1196 aircraft", May 2019. 1198 [NPRM] United States Federal Aviation Administration (FAA), 1199 "Notice of Proposed Rule Making on Remote Identification 1200 of Unmanned Aircraft Systems", December 2019. 1202 [OpenDroneID] 1203 Intel Corp., "Open Drone ID", March 2019, 1204 . 1206 [Opinion1] European Union Aviation Safety Agency (EASA), "Opinion No 1207 01/2020: High-level regulatory framework for the U-space", 1208 March 2020. 1210 [Recommendations] 1211 FAA UAS Identification and Tracking Aviation Rulemaking 1212 Committee, "UAS ID and Tracking ARC Recommendations Final 1213 Report", September 2017. 1215 [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally 1216 Unique IDentifier (UUID) URN Namespace", RFC 4122, 1217 DOI 10.17487/RFC4122, July 2005, 1218 . 1220 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", 1221 FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, 1222 . 1224 [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., 1225 Morris, J., Hansen, M., and R. Smith, "Privacy 1226 Considerations for Internet Protocols", RFC 6973, 1227 DOI 10.17487/RFC6973, July 2013, 1228 . 1230 [RFC8280] ten Oever, N. and C. Cath, "Research into Human Rights 1231 Protocol Considerations", RFC 8280, DOI 10.17487/RFC8280, 1232 October 2017, . 1234 [Roadmap] American National Standards Institute (ANSI) Unmanned 1235 Aircraft Systems Standardization Collaborative (UASSC), 1236 "Standardization Roadmap for Unmanned Aircraft Systems 1237 draft v2.0", April 2020, . 1241 [Stranger] Heinlein, R.A., "Stranger in a Strange Land", June 1961. 1243 [WG105] EUROCAE, "WG-105 draft Minimum Operational Performance 1244 Standards (MOPS) for Unmanned Aircraft System (UAS) 1245 Electronic Identification", June 2020. 1247 Appendix A. Discussion and Limitations 1249 This document is largely based on the process of one SDO, ASTM. 1250 Therefore, it is tailored to specific needs and data formats of this 1251 standard. Other organizations, for example in EU, do not necessary 1252 follow the same architecture. 1254 The need for drone ID and operator privacy is an open discussion 1255 topic. For instance, in the ground vehicular domain each car carries 1256 a publicly visible plate number. In some countries, for nominal cost 1257 or even for free, anyone can resolve the identity and contact 1258 information of the owner. Civil commercial aviation and maritime 1259 industries also have a tradition of broadcasting plane or ship ID, 1260 coordinates and even flight plans in plain text. Community networks 1261 such as OpenSky and Flightradar use this open information through 1262 ADS-B to deploy public services of flight tracking. Many researchers 1263 also use these data to perform optimization of routes and airport 1264 operations. Such ID information should be integrity protected, but 1265 not necessarily confidential. 1267 In civil aviation, aircraft identity is broadcast by a device known 1268 as transponder. It transmits a four-digit squawk code, which is 1269 assigned by a traffic controller to an airplane after approving a 1270 flight plan. There are several reserved codes such as 7600 which 1271 indicate radio communication failure. The codes are unique in each 1272 traffic area and can be re-assigned when entering another control 1273 area. The code is transmitted in plain text by the transponder and 1274 also used for collision avoidance by a system known as Traffic alert 1275 and Collision Avoidance System (TCAS). The system could be used for 1276 UAS as well initially, but the code space is quite limited and likely 1277 to be exhausted soon. The number of UAS far exceeds the number of 1278 civil airplanes in operation. 1280 The ADS-B system is utilized in civil aviation for each "ADS-B Out" 1281 equipped airplane to broadcast its ID, coordinates and altitude for 1282 other airplanes and ground control stations. If this system is 1283 adopted for drone IDs, it has additional benefit with backward 1284 compatibility with civil aviation infrastructure; then, pilots and 1285 dispatchers will be able to see UA on their control screens and take 1286 those into account. If not, a gateway translation system between the 1287 proposed drone ID and civil aviation system should be implemented. 1288 Again, system saturation due to large numbers of UAS is a concern. 1290 Wi-Fi and Bluetooth are two wireless technologies currently 1291 recommended by ASTM specifications due to their widespread use and 1292 broadcast nature. However, those have limited range (max 100s of 1293 meters) and may not reliably deliver UAS ID at high altitude or 1294 distance. Therefore, a study should be made of alternative 1295 technologies from the telecom domain (WiMax, 5G) or sensor networks 1296 (Sigfox, LORA). Such transmission technologies can impose additional 1297 restrictions on packet sizes and frequency of transmissions, but 1298 could provide better energy efficiency and range. In civil aviation, 1299 Controller-Pilot Data Link Communications (CPDLC) is used to transmit 1300 command and control between the pilots and ATC. It could be 1301 considered for UAS as well due to long range and proven use despite 1302 its lack of security [cpdlc]. 1304 L-band Digital Aeronautical Communications System (LDACS) is being 1305 standardized by ICAO and IETF for use in future civil aviation 1306 [I-D.maeurer-raw-ldacs]. It provides secure communication, 1307 positioning and control for aircraft using a dedicated radio band. 1308 It should be analyzed as a potential provider for UAS RID as well. 1309 This will bring the benefit of a global integrated system creating a 1310 global airspace use awareness. 1312 Acknowledgments 1314 The work of the FAA's UAS Identification and Tracking (UAS ID) 1315 Aviation Rulemaking Committee (ARC) is the foundation of later ASTM 1316 [F3411-19] and IETF DRIP efforts. The work of Gabriel Cox, Intel 1317 Corp. and their Open Drone ID collaborators opened UAS RID to a wider 1318 community. The work of ASTM F38.02 in balancing the interests of 1319 diverse stakeholders is essential to the necessary rapid and 1320 widespread deployment of UAS RID. IETF volunteers who have 1321 extensively reviewed or otherwise contributed to this document 1322 include Amelia Andersdotter, Carsten Bormann, Mohamed Boucadair, 1323 Toerless Eckert, Susan Hares, Mika Jarvenpaa, Daniel Migault, 1324 Alexandre Petrescu, Saulo Da Silva and Shuai Zhao. 1326 Authors' Addresses 1328 Stuart W. Card (editor) 1329 AX Enterprize 1330 4947 Commercial Drive 1331 Yorkville, NY 13495 1332 United States of America 1334 Email: stu.card@axenterprize.com 1336 Adam Wiethuechter 1337 AX Enterprize 1338 4947 Commercial Drive 1339 Yorkville, NY 13495 1340 United States of America 1341 Email: adam.wiethuechter@axenterprize.com 1343 Robert Moskowitz 1344 HTT Consulting 1345 Oak Park, MI 48237 1346 United States of America 1348 Email: rgm@labs.htt-consult.com 1350 Andrei Gurtov 1351 Linköping University 1352 IDA 1353 SE-58183 Linköping 1354 Sweden 1356 Email: gurtov@acm.org