idnits 2.17.1 draft-ietf-drip-reqs-06.txt: -(8): Line appears to be too long, but this could be caused by non-ascii characters in UTF-8 encoding Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == There are 3 instances of lines with non-ascii characters in the document. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 142 has weird spacing: '... Pilot xxxxx...' == Line 143 has weird spacing: '...perator x ...' == Line 801 has weird spacing: '...bserver x x...' -- The document date (1 November 2020) is 1272 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 0 errors (**), 0 flaws (~~), 5 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 DRIP S. Card, Ed. 3 Internet-Draft A. Wiethuechter 4 Intended status: Informational AX Enterprize 5 Expires: 5 May 2021 R. Moskowitz 6 HTT Consulting 7 A. Gurtov 8 Linköping University 9 1 November 2020 11 Drone Remote Identification Protocol (DRIP) Requirements 12 draft-ietf-drip-reqs-06 14 Abstract 16 This document defines terminology and requirements for Drone Remote 17 Identification Protocol (DRIP) Working Group protocols to support 18 Unmanned Aircraft System Remote Identification and tracking (UAS RID) 19 for security, safety and other purposes. Complementing external 20 technical standards as regulator-accepted means of compliance with 21 UAS RID regulations, DRIP will: 23 facilitate use of existing Internet resources to support UAS RID 24 and to enable enhanced related services; 26 enable online and offline verification that UAS RID information is 27 trustworthy. 29 Status of This Memo 31 This Internet-Draft is submitted in full conformance with the 32 provisions of BCP 78 and BCP 79. 34 Internet-Drafts are working documents of the Internet Engineering 35 Task Force (IETF). Note that other groups may also distribute 36 working documents as Internet-Drafts. The list of current Internet- 37 Drafts is at https://datatracker.ietf.org/drafts/current/. 39 Internet-Drafts are draft documents valid for a maximum of six months 40 and may be updated, replaced, or obsoleted by other documents at any 41 time. It is inappropriate to use Internet-Drafts as reference 42 material or to cite them other than as "work in progress." 44 This Internet-Draft will expire on 5 May 2021. 46 Copyright Notice 48 Copyright (c) 2020 IETF Trust and the persons identified as the 49 document authors. All rights reserved. 51 This document is subject to BCP 78 and the IETF Trust's Legal 52 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 53 license-info) in effect on the date of publication of this document. 54 Please review these documents carefully, as they describe your rights 55 and restrictions with respect to this document. Code Components 56 extracted from this document must include Simplified BSD License text 57 as described in Section 4.e of the Trust Legal Provisions and are 58 provided without warranty as described in the Simplified BSD License. 60 Table of Contents 62 1. Introduction (Informative) . . . . . . . . . . . . . . . . . 2 63 1.1. Motivation . . . . . . . . . . . . . . . . . . . . . . . 3 64 1.2. Concerns and Constraints . . . . . . . . . . . . . . . . 6 65 1.3. DRIP Scope . . . . . . . . . . . . . . . . . . . . . . . 8 66 2. Terms and Definitions . . . . . . . . . . . . . . . . . . . . 8 67 2.1. Requirements Terminology . . . . . . . . . . . . . . . . 8 68 2.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 9 69 3. UAS RID Problem Space . . . . . . . . . . . . . . . . . . . . 16 70 3.1. Network RID . . . . . . . . . . . . . . . . . . . . . . . 18 71 3.2. Broadcast RID . . . . . . . . . . . . . . . . . . . . . . 20 72 3.3. USS in UTM and RID . . . . . . . . . . . . . . . . . . . 22 73 3.4. DRIP Focus . . . . . . . . . . . . . . . . . . . . . . . 23 74 4. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 24 75 4.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 24 76 4.2. Identifier . . . . . . . . . . . . . . . . . . . . . . . 26 77 4.3. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 27 78 4.4. Registries . . . . . . . . . . . . . . . . . . . . . . . 28 79 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29 80 6. Security Considerations . . . . . . . . . . . . . . . . . . . 29 81 7. Privacy and Transparency Considerations . . . . . . . . . . . 30 82 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 30 83 8.1. Normative References . . . . . . . . . . . . . . . . . . 31 84 8.2. Informative References . . . . . . . . . . . . . . . . . 31 85 Appendix A. Discussion and Limitations . . . . . . . . . . . . . 33 86 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 35 87 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 35 89 1. Introduction (Informative) 90 1.1. Motivation 92 Many considerations (especially safety and security) necessitate 93 Unmanned Aircraft Systems (UAS) Remote Identification and tracking 94 (RID). 96 Unmanned Aircraft (UA) may be fixed wing, rotary wing (e.g., 97 helicopter), hybrid, balloon, rocket, etc. Small fixed wing UA 98 typically have Short Take-Off and Landing (STOL) capability; rotary 99 wing and hybrid UA typically have Vertical Take-Off and Landing 100 (VTOL) capability. UA may be single- or multi-engine. The most 101 common today are multicopters: rotary wing, multi engine. The 102 explosion in UAS was enabled by hobbyist development, for 103 multicopters, of advanced flight stability algorithms, enabling even 104 inexperienced pilots to take off, fly to a location of interest, 105 hover, and return to the take-off location or land at a distance. 106 UAS can be remotely piloted by a human (e.g., with a joystick) or 107 programmed to proceed from GNSS waypoint to waypoint in a weak form 108 of autonomy; stronger autonomy is coming. UA are "low observable": 109 they typically have small radar cross sections; they make noise quite 110 noticeable at short range but difficult to detect at distances they 111 can quickly close (500 meters in under 17 seconds at 60 knots); they 112 typically fly at low altitudes (for the small UAS to which RID 113 applies in the US, under 400 feet AGL); they are highly maneuverable 114 so can fly under trees and between buildings. 116 UA can carry payloads including sensors, cyber and kinetic weapons, 117 or can be used themselves as weapons by flying them into targets. 118 They can be flown by clueless, careless or criminal operators. Thus 119 the most basic function of UAS RID is "Identification Friend or Foe" 120 (IFF) to mitigate the significant threat they present. Numerous 121 other applications can be enabled or facilitated by RID: consider the 122 importance of identifiers in many Internet protocols and services. 123 The general scenario is illustrated in Figure 1. 125 UA1 UA2 126 x x x x 127 xxxxx xxxxx 129 General x x Public 130 Public xxxxx xxxxx Safety 131 Observer x x Observer 132 x x 133 x x ---------+ +---------- x x 134 x x | | x x 135 | | 136 + + 137 xxxxxxxxxx 138 x x 139 +----------+x Internet x+------------+ 140 | x x | 141 UA1 x | xxxxxxxxxx | x UA2 142 Pilot xxxxx + + + xxxxx Pilot 143 Operator x | | | x Operator 144 x | | | x 145 x x | | | x x 146 x x | | | x x 147 | | | 148 +----------+ | | | +----------+ 149 | |------+ | +-------| | 150 | Public | | | Private | 151 | Registry | +-----+ | Registry | 152 | | | DNS | | | 153 +----------+ +-----+ +----------+ 155 Figure 1: "General UAS RID Scenario" 157 Note the absence of any links to/from the UA in Figure 1. This is 158 because UAS RID and other connectivity involving the UA varies as 159 described below. 161 Inherently, any responsible Observer of UA must classify them, as 162 illustrated notionally in Figure 2. For basic airspace Situational 163 Awareness (SA), an Observer who classifies an UAS: as Taskable, can 164 ask it to do something useful; as Low Concern, can reasonably assume 165 it is not malicious, and would cooperate with requests to modify its 166 flight plans for safety concerns that arise; as High Concern or 167 Unidentified, can focus surveillance on it. These classes are not 168 standard, but derive from first principles. 170 xxxxxxx +--------------+ 171 x x No | | 172 x ID? x+---->| UNIDENTIFIED | 173 x x | | 174 xxxxxxx +--------------+ 175 + 176 | Yes 177 v 178 xxxxxxx 179 x x 180 +---------+x TYPE? x+----------+ 181 | x x | 182 | xxxxxxx | 183 | + | 184 v v v 185 +--------------+ +--------------+ +--------------+ 186 | | | | | | 187 | TASKABLE | | LOW CONCERN | | HIGH CONCERN | 188 | | | | | | 189 +--------------+ +--------------+ +--------------+ 191 Figure 2: "Notional UAS Classification" 193 An ID is not an end in itself; it exists to enable lookups and 194 provision of services complementing mere identification. 196 Using UAS RID to facilitate vehicular (V2X) communications and 197 applications such as Detect And Avoid (DAA), which would impose 198 tighter latency bounds than RID itself, is an obvious possibility, 199 explicitly contemplated in the United States (US) Federal Aviation 200 Administration (FAA) Notice of Proposed Rule Making [NPRM]. However, 201 applications of RID beyond RID itself, including DAA, have been 202 declared out of scope in ASTM International, Technical Committee F38 203 (UAS), Subcommittee F38.02 (Aircraft Operations), Work Item WK65041 204 (source of the widely cited [F3411-19]), based on a distinction 205 between RID as a security standard vs DAA as a safety application. 206 Although dynamic establishment of secure communications between the 207 Observer and the UAS pilot seems to have been contemplated by the FAA 208 UAS ID and Tracking Aviation Rulemaking Committee (ARC) in their 209 [Recommendations], it is not addressed in any of the subsequent 210 proposed regulations or technical specifications. 212 [Opinion1] and [WG105] cite the Direct Remote Identification 213 previously required and specified, explicitly stating that whereas 214 Direct RID is primarily for security purposes, "Electronic 215 Identification" (or the "Network Identification Service" in the 216 context of U-space) is primarily for safety purposes (e.g. air 217 traffic management, especially hazards deconfliction) and also is 218 allowed to be used for other purposes such as support of efficient 219 operations. These emerging standards allow the security and safety 220 oriented systems to be separate or merged. In addition to mandating 221 both Broadcast and Network one-way to Observers, they will use V2V to 222 other UAS (also likely to and/or from some manned aircraft). These 223 reflect the broad scope of the EU U-space concept, as being developed 224 in the Single European Sky ATM Research (SESAR) Joint Undertaking, 225 whose U-space architectural principles are outlined in [InitialView]. 227 Security oriented UAS RID essentially has two goals: enable the 228 general public to obtain and record an opaque ID for any observed UA, 229 which they can then report to authorities; enable authorities, from 230 such an ID, to look up information about the UAS and its operator. 231 Safety oriented UAS RID has stronger requirements. Aviation 232 community SDOs set a higher bar for safety than for security, 233 especially with respect to reliability. 235 1.2. Concerns and Constraints 237 Disambiguation of multiple UA flying in close proximity may be very 238 challenging, even if each is reporting its identity, position and 239 velocity as accurately as it can. 241 The origin of all information in UAS RID is operator self-reports. 242 Reports may be initiated by the remote pilot at the Ground Control 243 Station (GCS) console, by a software process on the GCS, or by a 244 process on the UA. Data in the reports may come from the UA (e.g. 245 an on-board GNSS receiver), the GCS (e.g. dead reckoning UA location 246 based on takeoff location and piloting commands given since takeoff) 247 and/or sensors available to the operator (e.g. radar or cameras). 248 Whether information comes proximately from the operator, or from 249 automated systems configured by the operator, there are possibilities 250 not only of unintentional error in, but also of intentional 251 falsification of, this data. 253 Minimal specified information must be made available to the public; 254 access to other data, e.g., UAS operator Personally Identifiable 255 Information (PII), must be limited to strongly authenticated 256 personnel, properly authorized per policy. The balance between 257 privacy and transparency remains a subject for public debate and 258 regulatory action; DRIP can only offer tools to expand the achievable 259 trade space and enable trade-offs within that space. [F3411-19], the 260 basis for most current thinking about and efforts to provide UAS RID, 261 specifies only how to get the UAS ID to the Observer: how the 262 Observer can perform these lookups, and how the registries first can 263 be populated with information, is unspecified therein. 265 The need for near-universal deployment of UAS RID is pressing. This 266 implies the need to support use by Observers of already ubiquitous 267 mobile devices (typically smartphones and tablets). Anticipating 268 likely CAA requirements to support legacy devices, especially in 269 light of [Recommendations], [F3411-19] specifies that any UAS sending 270 Broadcast RID over Bluetooth must do so over Bluetooth 4, regardless 271 of whether it also does so over newer versions; as UAS sender devices 272 and Observer receiver devices are unpaired, this implies extremely 273 short "advertisement" (beacon) frames. 275 Wireless data links on the UA are challenging due to low altitude 276 flight amidst structures and foliage over terrain, as well as the 277 severe Cost, Size, Weight and Power (CSWaP) constraints of devices 278 onboard UA. CSWaP is a burden not only on the designers of new UA 279 for production and sale, but also on owners of existing UA that must 280 be retrofit. Radio Controlled (RC) aircraft modelers, "hams" who use 281 licensed amateur radio frequencies to control UAS, drone hobbyists, 282 and others who custom build UAS, all need means of participating in 283 UAS RID, sensitive to both generic CSWaP and application-specific 284 considerations. 286 To accommodate the most severely constrained cases, all these 287 conspire to motivate system design decisions, especially for the 288 Broadcast RID data link, which complicate the protocol design 289 problem: one-way links; extremely short packets; and Internet- 290 disconnected operation of UA onboard devices. Internet-disconnected 291 operation of Observer devices has been deemed by ASTM F38.02 too 292 infrequent to address, but for some users is important and presents 293 further challenges. 295 As RID must often operate with limited bandwidth, short packet 296 payload length limits, and one-way links, heavyweight cryptographic 297 security protocols or even simple cryptographic handshakes are 298 infeasible, yet trustworthiness of UAS RID information is essential. 299 Under [F3411-19], even the most basic datum, the UAS ID string 300 (typically number) itself can be merely an unsubstantiated claim. 302 Observer devices being ubiquitous, thus popular targets for malware 303 or other compromise, cannot be generally trusted (although the user 304 of each device is compelled to trust that device, to some extent); a 305 "fair witness" functionality (inspired by [Stranger]) is desirable. 307 Despite work by regulators and Standards Development Organizations 308 (SDOs), there are substantial gaps in UAS standards generally and UAS 309 RID specifically. [Roadmap] catalogs UAS related standards, ongoing 310 standardization activities and gaps (as of early 2020); Section 7.8 311 catalogs those related specifically to UAS RID. DRIP will address 312 the most fundamental of these gaps, as foreshadowed above. 314 1.3. DRIP Scope 316 DRIP's initial goal is to make RID immediately actionable, in both 317 Internet and local-only connected scenarios (especially emergencies), 318 in severely constrained UAS environments, balancing legitimate (e.g., 319 public safety) authorities' Need To Know trustworthy information with 320 UAS operators' privacy. By "immediately actionable" is meant 321 information of sufficient precision, accuracy, timeliness, etc. for 322 an Observer to use it as the basis for immediate decisive action, 323 whether that be to trigger a defensive counter-UAS system, to attempt 324 to initiate communications with the UAS operator, to accept the 325 presence of the UAS in the airspace where/when observed as not 326 requiring further action, or whatever, with potentially severe 327 consequences of any action or inaction chosen based on that 328 information. For further explanation of the concept of immediate 329 actionability, see [ENISACSIRT]. Note that UAS RID must achieve near 330 universal adoption, but DRIP can add value even if only selectively 331 deployed, as those with jurisdiction over more sensitive airspace 332 volumes may set a higher than generally mandated RID bar for flight 333 in those volumes. Providing timely trustworthy identification data 334 is also prerequisite to identity-oriented networking. 336 DRIP (originally Trustworthy Multipurpose Remote Identification, TM- 337 RID) potentially could be applied to verifiably identify other types 338 of registered things reported to be in specified physical locations, 339 but the urgent motivation and clear initial focus is UAS. Existing 340 Internet resources (protocol standards, services, infrastructure, and 341 business models) should be leveraged. A natural Internet based 342 architecture for UAS RID conforming to proposed regulations and 343 external technical standards is described in a companion architecture 344 document [drip-architecture] and elaborated in other DRIP documents; 345 this document describes only relevant requirements and defines 346 terminology for the set of DRIP documents. 348 2. Terms and Definitions 350 2.1. Requirements Terminology 352 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 353 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 354 "OPTIONAL" in this document are to be interpreted as described in BCP 355 14 [RFC2119] [RFC8174] when, and only when, they appear in all 356 capitals, as shown here. 358 2.2. Definitions 360 This section defines a set of terms expected to be used in DRIP 361 documents. This list is meant to be the DRIP terminology reference. 362 Some of the terms listed below are not used in this document. 363 [RFC4949] provides a glossary of Internet security terms that should 364 be used where applicable. In the UAS community, the plural form of 365 acronyms generally is the same as the singular form, e.g. Unmanned 366 Aircraft System (singular) and Unmanned Aircraft Systems (plural) are 367 both represented as UAS. On this and other terminological issues, to 368 encourage comprehension necessary for adoption of DRIP by the 369 intended user community, that community's norms are respected herein, 370 and definitions are quoted in cases where they have been found in 371 that community's documents. Most of the listed terms are from that 372 community (even if specific source documents are not cited); any that 373 are DRIP-specific or invented by the authors of this document are 374 marked "(DRIP)". 376 4-D 377 Four-dimensional. Latitude, Longitude, Altitude, Time. Used 378 especially to delineate an airspace volume in which an operation 379 is being or will be conducted. 381 AAA 382 Attestation, Authentication, Authorization, Access Control, 383 Accounting, Attribution, Audit, or any subset thereof (uses differ 384 by application, author and context). (DRIP) 386 ABDAA 387 AirBorne DAA. Accomplished using systems onboard the aircraft 388 involved. Supports "self-separation" (remaining "well clear" of 389 other aircraft) and collision avoidance. 391 ADS-B 392 Automatic Dependent Surveillance - Broadcast. "ADS-B Out" 393 equipment obtains aircraft position from other on-board systems 394 (typically GNSS) and periodically broadcasts it to "ADS-B In" 395 equipped entities, including other aircraft, ground stations and 396 satellite based monitoring systems. 398 AGL 399 Above Ground Level. Relative altitude, above the variously 400 defined local ground level, typically of an UA, measured in feet 401 or meters. Should be explicitly specified as either barometric 402 (pressure) or geodetic (GNSS). 404 ATC 405 Air Traffic Control. Explicit flight direction to pilots from 406 ground controllers. Contrast with ATM. 408 ATM 409 Air Traffic Management. A broader functional and geographic scope 410 and/or a higher layer of abstraction than ATC. "The dynamic, 411 integrated management of air traffic and airspace including air 412 traffic services, airspace management and air traffic flow 413 management - safely, economically and efficiently - through the 414 provision of facilities and seamless services in collaboration 415 with all parties and involving airborne and ground-based 416 functions." [ICAOATM] 418 Authentication Message 419 [F3411-19] Message Type 2. Provides framing for authentication 420 data, only. Optional per [F3411-19] but may be required by 421 regulations. 423 Basic ID Message 424 [F3411-19] Message Type 0. Provides UA Type, UAS ID Type and UAS 425 ID, only. Mandatory per [F3411-19]. 427 B-LOS 428 Beyond Line Of Sight (LOS). Term to be avoided due to ambiguity. 429 See LOS. 431 BV-LOS 432 Beyond Visual Line Of Sight (V-LOS). See V-LOS. 434 CAA 435 Civil Aviation Authority. Two examples are the United States 436 Federal Aviation Administration (FAA) and the Japan Civil Aviation 437 Bureau. 439 CSWaP 440 Cost, Size, Weight and Power. 442 C2 443 Command and Control. Previously mostly used in military contexts. 444 Properly refers to a function, exercisable over arbitrary 445 communications; but in the small UAS context, often refers to the 446 communications (typically RF data link) over which the GCS 447 controls the UA. 449 DAA 450 Detect And Avoid, formerly Sense And Avoid (SAA). A means of 451 keeping aircraft "well clear" of each other and obstacles for 452 safety. "The capability to see, sense or detect conflicting 453 traffic or other hazards and take the appropriate action to comply 454 with the applicable rules of flight." [ICAOUAS] 456 Direct RID 457 Direct Remote Identification. "a system that ensures the local 458 broadcast of information about an UA in operation, including the 459 marking of the UA, so that this information can be obtained 460 without physical access to the UA". [Delegated] Corresponds 461 roughly to the Broadcast RID portion of [NPRM] Standard RID. 463 DSS 464 Discovery and Synchronization Service. Formerly Inter-USS. The 465 UTM system overlay network backbone. Most importantly, it enables 466 one USS to learn which other USS have UAS operating in a given 4-D 467 airspace volume, for deconfliction of planned and Network RID 468 surveillance of active operations. [F3411-19] 470 EUROCAE 471 European Organisation for Civil Aviation Equipment. Aviation SDO, 472 originally European, now with broader membership. Cooperates 473 extensively with RTCA. 475 GBDAA 476 Ground Based DAA. Accomplished with the aid of ground based 477 functions. 479 GCS 480 Ground Control Station. The part of the UAS that the remote pilot 481 uses to exercise C2 over the UA, whether by remotely exercising UA 482 flight controls to fly the UA, by setting GPS waypoints, or 483 otherwise directing its flight. 485 GNSS 486 Global Navigation Satellite System. Satellite based timing and/or 487 positioning with global coverage, often used to support 488 navigation. 490 GPS 491 Global Positioning System. A specific GNSS, but in the UAS 492 context, the term is typically misused in place of the more 493 generic term GNSS. 495 GRAIN 496 Global Resilient Aviation Interoperable Network. ICAO managed 497 IPv6 overlay internetwork per IATF, dedicated to aviation (but not 498 just aircraft). Currently in design. 500 IATF 501 International Aviation Trust Framework. ICAO effort to develop a 502 resilient and secure by design framework for networking in support 503 of all aspects of aviation. 505 ICAO 506 International Civil Aviation Organization. A United Nations 507 specialized agency that develops and harmonizes international 508 standards relating to aviation. 510 LAANC 511 Low Altitude Authorization and Notification Capability. Supports 512 ATC authorization requirements for UAS operations: remote pilots 513 can apply to receive a near real-time authorization for operations 514 under 400 feet in controlled airspace near airports. US partial 515 stopgap until UTM comes. 517 Limited RID 518 A mode of operation that must use Network RID, must not use 519 Broadcast RID, and must provide pilot/GCS location only (not UA 520 location). This mode is only allowed for UA that neither require 521 (due to e.g. size) nor are equipped for Standard RID, operated 522 within V-LOS and within 400 feet of the pilot, below 400 feet AGL, 523 etc. [NPRM] 525 Location/Vector Message 526 [F3411-19] Message Type 1. Provides UA location, altitude, 527 heading, speed and status. Mandatory per [F3411-19]. 529 LOS 530 Line Of Sight. An adjectival phrase describing any information 531 transfer that travels in a nearly straight line (e.g. 532 electromagnetic energy, whether in the visual light, RF or other 533 frequency range) and is subject to blockage. A term to be avoided 534 due to ambiguity, in this context, between RF-LOS and V-LOS. 536 MSL 537 Mean Sea Level. Relative altitude, above the variously defined 538 mean sea level, typically of an UA (but in [NPRM] also for a GCS), 539 measured in feet or meters. Should be explicitly specified as 540 either barometric (pressure) or geodetic (GNSS). 542 Net-RID DP 543 Network RID Display Provider. [F3411-19] logical entity that 544 aggregates data from Net-RID SPs as needed in response to user 545 queries regarding UAS operating within specified airspace volumes, 546 to enable display by a user application on a user device. 547 Potentially could provide not only information sent via UAS RID 548 but also information retrieved from UAS RID registries, or 549 information beyond UAS RID. Under [NPRM], not recognized as a 550 distinct entity, but a service provided by USS, including Public 551 Safety USS that may exist primarily for this purpose rather than 552 to manage any subscribed UAS. 554 Net-RID SP 555 Network RID Service Provider. [F3411-19] logical entity that 556 collects RID messages from UAS and responds to NetRID-DP queries 557 for information on UAS of which it is aware. Under [NPRM], the 558 USS to which the UAS is subscribed ("Remote ID USS"). 560 Network Identification Service 561 EU regulatory requirement for Network RID. [Opinion1] and [WG105] 562 Corresponds roughly to the Network RID portion of [NPRM] Standard 563 RID. 565 Observer 566 An entity (typically but not necessarily an individual human) who 567 has directly or indirectly observed an UA and wishes to know 568 something about it, starting with its ID. An observer typically 569 is on the ground and local (within V-LOS of an observed UA), but 570 could be remote (observing via Network RID or other surveillance), 571 operating another UA, aboard another aircraft, etc. (DRIP) 573 Operation 574 A flight, or series of flights of the same mission, by the same 575 UAS, separated by at most brief ground intervals. (inferred from 576 UTM usage, no formal definition found) 578 Operator 579 "A person, organization or enterprise engaged in or offering to 580 engage in an aircraft operation." [ICAOUAS] 582 Operator ID Message 583 [F3411-19] Message Type 5. Provides CAA issued Operator ID, only. 584 Operator ID is distinct from UAS ID. Optional per [F3411-19] but 585 may be required by regulations. 587 PIC 588 Pilot In Command. "The pilot designated by the operator, or in 589 the case of general aviation, the owner, as being in command and 590 charged with the safe conduct of a flight." [ICAOUAS] 592 PII 593 Personally Identifiable Information. In this context, typically 594 of the UAS Operator, Pilot In Command (PIC) or Remote Pilot, but 595 possibly of an Observer or other party. 597 Remote Pilot 598 A pilot using a GCS to exercise proximate control of an UA. 599 Either the PIC or under the supervision of the PIC. "The person 600 who manipulates the flight controls of a remotely-piloted aircraft 601 during flight time." [ICAOUAS] 603 RF 604 Radio Frequency. Noun or adjective, e.g. "RF link." 606 RF-LOS 607 RF LOS. Typically used in describing a direct radio link between 608 a GCS and the UA under its control, potentially subject to 609 blockage by foliage, structures, terrain or other vehicles, but 610 less so than V-LOS. 612 RTCA 613 Radio Technical Commission for Aeronautics. US aviation SDO. 614 Cooperates extensively with EUROCAE. 616 Self-ID Message 617 [F3411-19] Message Type 3. Provides a 1 byte descriptor and 23 618 byte ASCII free text field, only. Expected to be used to provide 619 context on the operation, e.g. mission intent. Optional per 620 [F3411-19] but may be required by regulations. 622 Standard RID 623 A mode of operation that must use both Network RID (if Internet 624 connectivity is available at the time in the operating area) and 625 Broadcast RID (always and everywhere), and must provide both 626 pilot/GCS location and UA location. This mode is required for UAS 627 that exceed the allowed envelope (e.g. size, range) of Limited RID 628 and for all UAS equipped for Standard RID (even if operated within 629 parameters that would otherwise permit Limited RID). [NPRM] The 630 Broadcast RID portion corresponds roughly to EU Direct RID; the 631 Network RID portion corresponds roughly to EU Network 632 Identification Service. 634 SDO 635 Standards Development Organization. ASTM, IETF, et al. 637 SDSP 638 Supplemental Data Service Provider. An entity that participates 639 in the UTM system, but provides services beyond those specified as 640 basic UTM system functions. E.g., provides weather data. 641 [FAACONOPS] 643 System Message 644 [F3411-19] Message Type 4. Provides general UAS information, 645 including remote pilot location, multiple UA group operational 646 area, etc. Optional per [F3411-19] but may be required by 647 regulations. 649 U-space 650 EU concept and emerging framework for integration of UAS into all 651 classes of airspace, specifically including high density urban 652 areas, sharing airspace with manned aircraft. [InitialView] 654 UA 655 Unmanned Aircraft. In popular parlance, "drone". "An aircraft 656 which is intended to operate with no pilot on board." [ICAOUAS] 658 UAS 659 Unmanned Aircraft System. Composed of UA, all required on-board 660 subsystems, payload, control station, other required off-board 661 subsystems, any required launch and recovery equipment, all 662 required crew members, and C2 links between UA and control 663 station. [F3411-19] 665 UAS ID 666 UAS identifier. Although called "UAS ID", unique to the UA, 667 neither to the operator (as some UAS registration numbers have 668 been and for exclusively recreational purposes are continuing to 669 be assigned), nor to the combination of GCS and UA that comprise 670 the UAS. Maximum length of 20 bytes. [F3411-19] 672 UAS ID Type 673 UAS Identifier type index. 4 bits, see Section 3, Paragraph 5 for 674 currently defined values 0-3. [F3411-19] 676 UAS RID 677 UAS Remote Identification and tracking. System to enable 678 arbitrary Observers to identify UA during flight. 680 UAS RID Verifier Service 681 System component designed to handle the authentication 682 requirements of RID by offloading verification to a web hosted 683 service. [F3411-19] 685 USS 686 UAS Service Supplier. "A USS is an entity that assists UAS 687 Operators with meeting UTM operational requirements that enable 688 safe and efficient use of airspace" and "... provide services to 689 support the UAS community, to connect Operators and other entities 690 to enable information flow across the USS Network, and to promote 691 shared situational awareness among UTM participants" per 692 [FAACONOPS]. 694 UTM 695 UAS Traffic Management. "A specific aspect of air traffic 696 management which manages UAS operations safely, economically and 697 efficiently through the provision of facilities and a seamless set 698 of services in collaboration with all parties and involving 699 airborne and ground-based functions." [ICAOUTM] In the US, per 700 FAA, a "traffic management" ecosystem for "uncontrolled" low 701 altitude UAS operations, separate from, but complementary to, the 702 FAA's ATC system for "controlled" operations of manned aircraft. 704 V2V 705 Vehicle-to-Vehicle. Originally communications between 706 automobiles, now extended to apply to communications between 707 vehicles generally. Often, together with Vehicle-to- 708 Infrastructure (V2I) etc., generalized to V2X. 710 V-LOS 711 Visual LOS. Typically used in describing operation of an UA by a 712 "remote" pilot who can clearly directly (without video cameras or 713 any other aids other than glasses or under some rules binoculars) 714 see the UA and its immediate flight environment. Potentially 715 subject to blockage by foliage, structures, terrain or other 716 vehicles, more so than RF-LOS. 718 3. UAS RID Problem Space 720 Civil Aviation Authorities (CAAs) worldwide are mandating UAS RID. 721 The European Union Aviation Safety Agency (EASA) has published 722 [Delegated] and [Implementing] Regulations. The US FAA has described 723 the key role that UAS RID plays in UAS Traffic Management (UTM) in 724 [NPRM] and [FAACONOPS] (especially Section 2.6 of the latter). CAAs 725 currently (2020) promulgate performance-based regulations that do not 726 specify techniques, but rather cite industry consensus technical 727 standards as acceptable means of compliance. 729 ASTM developed a widely cited Standard Specification for Remote ID 730 and Tracking [F3411-19] (early drafts are freely available as 731 [OpenDroneID] specifications). It defines two means of UAS RID: 733 Network RID defines a set of information for UAS to make available 734 globally indirectly via the Internet, through servers that can be 735 queried by Observers. 737 Broadcast RID defines a set of messages for UA to transmit locally 738 directly one-way over Bluetooth or Wi-Fi (without IP or any other 739 protocols between the data link and application layer), to be 740 received in real time by local Observers. 742 UAS using both means must send the same UAS RID application layer 743 information via each per [F3411-19] and [NPRM]. The presentation may 744 differ, as Network RID defines a data dictionary, whereas Broadcast 745 RID defines message formats (which carry items from that same data 746 dictionary). The interval (or rate) at which it is sent may differ, 747 as Network RID can accommodate Observer queries asynchronous to UAS 748 updates (which generally need be sent only when information, such as 749 location, changes), whereas Broadcast RID depends upon Observers 750 receiving UA messages at the time they are transmitted. Network RID 751 depends upon Internet connectivity in several segments from the UAS 752 to each Observer. Broadcast RID should need Internet (or other Wide 753 Area Network) connectivity only for UAS registry information lookup 754 using the directly locally received UAS Identifier (UAS ID) as a key. 755 Broadcast RID does not assume IP connectivity of UAS; messages are 756 encapsulated by the UA without IP, directly in Bluetooth or WiFi link 757 layer frames. 759 [F3411-19] specifies three UAS ID types: 761 TYPE-1 A static, manufacturer assigned, hardware serial number per 762 ANSI/CTA-2063-A "Small Unmanned Aerial System Serial Numbers" 763 [CTA2063A]. 765 TYPE-2 A CAA assigned (generally static) ID, like the registration 766 number of a manned aircraft. 768 TYPE-3 A UTM system assigned UUID [RFC4122], which can but need not 769 be dynamic. 771 Per [Delegated], the EU allows only Type 1. Per [NPRM], the US 772 allows Types 1 and 3, but requires Type 3 IDs (if used) each to be 773 used only once as a "Session ID" (for a single UAS flight, which in 774 the context of UTM is called an "operation"). Per [Delegated], the 775 EU also requires an operator registration number (an additional 776 identifier distinct from the UAS ID) that can be carried in an 777 [F3411-19] optional Operator ID message. Per [NPRM], the US allows 778 but does not require that operator registration numbers be sent. As 779 yet apparently there are no CAA public proposals to use Type 2. 781 3.1. Network RID 783 x x UA 784 xxxxxxx 785 | \ 786 | \ 787 | \ 788 | \ ******************** 789 | \* ------*---+------------+ 790 | *\ / * | NET_Rid_SP | 791 | * ------------/ +---*--+------------+ 792 | RF */ | * 793 | / INTERNET | * +------------+ 794 | /* +---*--| NET_Rid_DP | 795 | / * +----*--+------------+ 796 + / * | * 797 x / ****************|*** x 798 xxxxx | xxxxx 799 x +------- x 800 x x 801 x x Operator's GCS Observer x x 802 x x x x 804 Figure 3: "Network RID Information Flow" 806 Only two of the three links UA-GCS, UA-Internet and GCS-Internet need 807 exist, although all three may. There must be some path (direct or 808 indirect) between the GCS and the UA, for the former to exercise C2 809 over the latter; if this path is two-way (as increasingly it is, even 810 for inexpensive small UAS), the UA will also send its status (and 811 position, if suitably equipped) information to the GCS. There must 812 be some path between at least one subsystem of the UAS (UA or GCS) 813 and the Internet, for the former to send status and position updates 814 to its USS (serving _inter alia_ as Net-RID SP. 816 Currently, the RID data flow typically originates on the UA and 817 passes through the GCS, or originates on the GCS, rather than comes 818 direct from the UA as in Broadcast RID (below), and makes up to three 819 trips through the Internet, implying use of IP (and other middle 820 layer protocols) on those trips, but not necessarily on an UA-GCS 821 link (if indeed that direct even exists and further the Network RID 822 data flows across it). 824 Network RID is publish-subscribe-query. In the UTM context: 826 1. The UAS operator pushes an "operational intent" (the current term 827 in UTM corresponding to a flight plan in manned aviation) to the 828 USS (call it USS#1) that will serve that UAS (call it UAS#1) for 829 that operation, primarily to enable deconfliction with other 830 operations potentially impinging upon that operation's 4-D 831 airspace volume (call it Volume#1). 833 2. Assuming the operation is approved and commences, UAS #1 834 periodically pushes location/status updates to USS#1, which 835 serves _inter alia_ as the Network RID Service Provider (Net-RID 836 SP) for that operation. 838 3. When users of any other USS (whether they be other UAS operators 839 or Observers) develop an interest in any 4-D airspace volume 840 (e.g. because they wish to submit an operational intent or 841 because they have observed an UA), they query their own USS on 842 the volumes in which they are interested. 844 4. Their USS query, via the UTM Discovery and Synchronization 845 Service (DSS), all other USS in the UTM system, and learn of any 846 USS that have operations in those volumes (including any volumes 847 intersecting them); thus those USS whose query volumes intersect 848 Volume#1 (call them USS#2 through USS#n) learn that USS#1 has 849 such operations. 851 5. Interested parties can then subscribe to track updates on that 852 operation of UAS#1, via their own USS, which serve as Network RID 853 Display Providers (Net-RID DP) for that operation. 855 6. USS#1 (as Net-RID SP) will then publish updates of UAS#1 status 856 and position to all other subscribed USS in USS#2 through USS#n 857 (as Net-RID DP). 859 7. All Net-RID DP subscribed to that operation of UAS#1 will deliver 860 its track information to their users who subscribed to that 861 operation of UAS#1, via unspecified (generally presumed to be web 862 browser based) means. 864 Network RID has several variants. The UA may have persistent onboard 865 Internet connectivity, in which case it can consistently source RID 866 information directly over the Internet. The UA may have intermittent 867 onboard Internet connectivity, in which case the GCS must source RID 868 information whenever the UA itself is offline. The UA may not have 869 Internet connectivity of its own, but have instead some other form of 870 communications to another node that can relay RID information to the 871 Internet; this would typically be the GCS (which to perform its 872 function must know where the UA is, although C2 link outages do 873 occur). 875 The UA may have no means of sourcing RID information, in which case 876 the GCS must source it; this is typical under FAA NPRM Limited RID 877 proposed rules, which require providing the location of the GCS (not 878 that of the UA). In the extreme case, this could be the pilot using 879 a web browser/application to designate, to an UAS Service Supplier 880 (USS) or other UTM entity, a time-bounded airspace volume in which an 881 operation will be conducted; this may impede disambiguation of ID if 882 multiple UAS operate in the same or overlapping 4-D volumes. 884 In most cases in the near term, if the RID information is fed to the 885 Internet directly by the UA or GCS, the first hop data links will be 886 cellular Long Term Evolution (LTE) or Wi-Fi, but provided the data 887 link can support at least UDP/IP and ideally also TCP/IP, its type is 888 generally immaterial to the higher layer protocols. An UAS as the 889 ultimate source of Network RID information feeds an USS acting as a 890 Network RID Service Provider (Net-RID SP), which essentially proxies 891 for that and other sources; an observer or other ultimate consumer of 892 Network RID information obtains it from a Network RID Display 893 Provider (Net-RID DP), which aggregates information from multiple 894 Net-RID SPs to offer airspace Situational Awareness (SA) coverage of 895 a volume of interest. Network RID Service and Display providers are 896 expected to be implemented as servers in well-connected 897 infrastructure, accessible via typical means such as web APIs/ 898 browsers. 900 Network RID is the more flexible and less constrained of the defined 901 UAS RID means, but is only partially specified in [F3411-19]. It is 902 presumed that IETF efforts supporting Broadcast RID (see next 903 section) can be easily generalized for Network RID. 905 3.2. Broadcast RID 907 x x UA 908 xxxxx 909 | 910 | 911 | app messages directly over one-way RF data link 912 | 913 | 914 + 915 x 916 xxxxx 917 x 918 x 919 x x Observer's device (e.g. smartphone) 920 x x 922 Figure 4: "Broadcast RID Information Flow" 924 Note the absence of the Internet from this information flow sketch. 925 This is because Broadcast RID is one-way direct transmission of 926 application layer messages over a RF data link (without IP or other 927 middle layer protocols) from the UA to local Observer devices. 928 Internet connectivity is involved only in what the Observer chooses 929 to do with the information received, such as verify signatures using 930 a web based verifier service and look up information in registries 931 using the UAS ID as the primary unique key. 933 Broadcast RID is conceptually similar to Automatic Dependent 934 Surveillance - Broadcast (ADS-B). However, for various technical and 935 other reasons, regulators including the EASA and FAA have not 936 indicated intent to allow, and FAA has proposed explicitly to 937 prohibit, use of ADS-B for UAS RID. 939 [F3411-19] specifies three Broadcast RID data links: Bluetooth 4.X; 940 Bluetooth 5.X Long Range; and Wi-Fi with Neighbor Awareness 941 Networking (NAN). For compliance with [F3411-19], an UA must 942 broadcast (using advertisement mechanisms where no other option 943 supports broadcast) on at least one of these; if broadcasting on 944 Bluetooth 5.x, it is also required concurrently to do so on 4.x 945 (referred to in [F3411-19] as Bluetooth Legacy). Future revisions 946 may allow other data links. 948 The selection of the Broadcast media was driven by research into what 949 is commonly available on 'ground' units (smartphones and tablets) and 950 what was found as prevalent or 'affordable' in UA. Further, there 951 must be an Application Programming Interface (API) for the observer's 952 receiving application to have access to these messages. As yet only 953 Bluetooth 4.X support is readily available, thus the current focus is 954 on working within the 26 byte limit of the Bluetooth 4.X "Broadcast 955 Frame" transmitted on beacon channels. After nominal overheads, this 956 limits the UAS ID string to a maximum length of 20 bytes, and 957 precludes the same frame carrying position, velocity and other 958 information that should be bound to the UAS ID, much less strong 959 authentication data. This requires segmentation ("paging") of longer 960 messages or message bundles ("Message Pack"), and/or correlation of 961 short messages (anticipated by ASTM to be done on the basis of 962 Bluetooth 4 MAC address, which is weak and unverifiable). 964 [F3411-19] Broadcast RID specifies several message types: Basic, 965 Location, Authentication, Self-ID, System and Operator ID. To 966 satisfy EASA and FAA proposed rules, all types are needed, except 967 Authentication and Self-ID. 969 [F3411-19] Broadcast RID specifies very few quantitative performance 970 requirements: static information must be transmitted at least once 971 per 3 seconds; dynamic information (the Location message) must be 972 transmitted at least once per second and be no older than one second 973 when sent. [NPRM] proposes all information be sent at least once per 974 second. 976 [F3411-19] Broadcast RID transmits all information as cleartext 977 (ASCII or binary), so static IDs enable trivial correlation of 978 patterns of use, unacceptable in many applications, e.g., package 979 delivery routes of competitors. 981 Any UA can assert any ID using the [F3411-19] required Basic ID 982 message, which lacks any provisions for verification. The Position/ 983 Vector message likewise lacks provisions for verification, and does 984 not contain the ID, so must be correlated somehow with a Basic ID 985 message: the developers of [F3411-19] have suggested using the MAC 986 addresses on the Broadcast RID data link, but these may be randomized 987 by the operating system stack to avoid the adversarial correlation 988 problems of static identifiers. 990 The [F3411-19] optional Authentication Message specifies framing for 991 authentication data, but does not specify any authentication method, 992 and the maximum length of the specified framing is too short for 993 conventional digital signatures and far too short for conventional 994 certificates. The one-way nature of Broadcast RID precludes 995 challenge-response security protocols (e.g., observers sending nonces 996 to UA, to be returned in signed messages). An observer would be 997 seriously challenged to validate the asserted UAS ID or any other 998 information about the UAS or its operator looked up therefrom. 1000 3.3. USS in UTM and RID 1002 UAS RID and UTM are complementary; Network RID is a UTM service. The 1003 backbone of the UTM system is comprised of multiple USS: one or 1004 several per jurisdiction; some limited to a single jurisdiction, 1005 others spanning multiple jurisdictions. USS also serve as the 1006 principal or perhaps the sole interface for operators and UAS into 1007 the UTM environment. Each operator subscribes to at least one USS. 1008 Each UAS is registered by its operator in at least one USS. Each 1009 operational intent is submitted to one USS: if approved, that UAS and 1010 operator can commence that operation; from this point until the end 1011 of the operation, status and location of that UAS must be reported to 1012 that USS, which in turn provides information as needed about that 1013 operator, UAS and operation into the UTM system and to Observers via 1014 Network RID. 1016 USS provide services not limited to Network RID; indeed, the primary 1017 USS function is deconfliction of airspace usage by different UAS and 1018 other (e.g. manned aircraft, rocket launch) operations. Most 1019 deconfliction involving a given operation is hoped to be completed 1020 prior to commencing that operation, and is called "strategic 1021 deconfliction." If that fails, "tactical deconfliction" comes into 1022 play; ABDAA may not involve USS, but GBDAA likely will. Also, 1023 dynamic constraints (formerly UAS Volume Restrictions, UVR) can be 1024 necessitated by local emergencies, extreme weather, etc., specified 1025 by authorities on the ground and propagated in UTM. 1027 No role for USS in Broadcast RID is currently specified by regulators 1028 or [F3411-19]. However, USS are likely to serve as registries (or 1029 perhaps registrars) for UAS (and perhaps operators); if so, USS will 1030 have a role in all forms of RID. Supplemental Data Service Providers 1031 (SDSP) are also likely to find roles, not only in UTM as such but 1032 also in enhancing UAS RID and related services. Whether USS, SDSP, 1033 etc. are involved or not, RID services, narrowly defined, provide 1034 regulator specified identification information; more broadly defined, 1035 RID services may leverage identification to facilitate related 1036 services or functions, likely beginning with V2X. 1038 3.4. DRIP Focus 1040 In addition to the gaps described above, there is a fundamental gap 1041 in almost all current or proposed regulations and technical standards 1042 for UAS RID. As noted above, ID is not an end in itself, but a 1043 means. [F3411-19] etc. provide very limited choices for an observer 1044 to communicate with the pilot, e.g., to request further information 1045 on the UAS operation or exit from an airspace volume in an emergency. 1046 The System Message provides the location of the pilot/GCS, so an 1047 observer could physically go to the asserted location to look for the 1048 remote pilot; this is at best slow, and may not be feasible -- what 1049 if the pilot is on the opposite rim of a canyon, or there are 1050 multiple UAS operators to be contacted whose GCS all lie in different 1051 directions from the Observer? An observer with Internet connectivity 1052 and access privileges could look up operator PII in a registry, then 1053 call a phone number in hopes someone who can immediately influence 1054 the UAS operation will answer promptly during that operation; this is 1055 unreliable. Internet technologies can do much better than this. 1057 Thus complementing [F3411-19] with protocols enabling strong 1058 authentication, preserving operator privacy while enabling immediate 1059 use of information by authorized parties, is critical to achieve 1060 widespread adoption of a RID system supporting safe and secure 1061 operation of UAS. 1063 DRIP will focus on making information obtained via UAS RID 1064 immediately usable: 1066 1. by making it trustworthy (despite the severe constraints of 1067 Broadcast RID); 1069 2. by enabling verification that an UAS is registered for RID, and 1070 if so, in which registry (for classification of trusted operators 1071 on the basis of known registry vetting, even by observers lacking 1072 Internet connectivity at observation time); 1074 3. by facilitating independent reports of UA aeronautical data 1075 (location, velocity, etc.) to confirm or refute the operator 1076 self-reports upon which UAS RID and UTM tracking are based; 1078 4. by enabling instant establishment, by authorized parties, of 1079 secure communications with the remote pilot. 1081 4. Requirements 1083 4.1. General 1085 GEN-1 Provable Ownership: DRIP MUST enable verification that the 1086 UAS ID asserted in the Basic ID message is that of the actual 1087 current sender of the message (i.e. the message is not a 1088 replay attack or other spoof, authenticating e.g. by 1089 verifying an asymmetric cryptographic signature using a 1090 sender provided public key from which the asserted ID can be 1091 at least partially derived), even on an observer device 1092 lacking Internet connectivity at the time of observation. 1094 GEN-2 Provable Binding: DRIP MUST enable binding all other 1095 [F3411-19] messages from the same actual current sender to 1096 the UAS ID asserted in the Basic ID message. 1098 GEN-3 Provable Registration: DRIP MUST enable verification that the 1099 UAS ID is in a registry and identification of which one, even 1100 on an observer device lacking Internet connectivity at the 1101 time of observation; with UAS ID Type 3, the same sender may 1102 have multiple IDs, potentially in different registries, but 1103 each ID must clearly indicate in which registry it can be 1104 found. 1106 GEN-4 Readability: DRIP MUST enable information (regulation 1107 required elements, whether sent via UAS RID or looked up in 1108 registries) to be read and utilized by both humans and 1109 software. 1111 GEN-5 Gateway: DRIP MUST enable Broadcast RID to Network RID 1112 application layer gateways to stamp messages with precise 1113 date/time received and receiver location, then relay them to 1114 a network service (e.g. SDSP or distributed ledger), to 1115 support three objectives: mark up a RID message with where 1116 and when it was actually received (which may agree or 1117 disagree with the self-report in the set of messages); defend 1118 against replay attacks; and support optional SDSP services 1119 such as multilateration (to complement UAS position self- 1120 reports with independent measurements). 1122 GEN-6 Finger: DRIP MUST enable dynamically establishing, with AAA, 1123 per policy, end to end strongly encrypted communications with 1124 the UAS RID sender and entities looked up from the UAS ID, 1125 including at least the remote pilot and USS. 1127 GEN-7 QoS: DRIP MUST enable policy based specification of 1128 performance and reliability parameters, such as maximum 1129 message transmission intervals and delivery latencies. 1131 GEN-8 Mobility: DRIP MUST support physical and logical mobility of 1132 UA, GCS and Observers. DRIP SHOULD support mobility of 1133 essentially all participating nodes (UA, GCS, Observers, Net- 1134 RID SP, Net-RID DP, Private Registry, SDSP). 1136 GEN-9 Multihoming: DRIP MUST support multihoming of UA and GCS, for 1137 make-before-break smooth handoff and resiliency against path/ 1138 link failure. DRIP SHOULD support multihoming of essentially 1139 all participating nodes. 1141 GEN-10 Multicast: DRIP SHOULD support multicast for efficient and 1142 flexible publish-subscribe notifications, e.g., of UAS 1143 reporting positions in designated airspace volumes. 1145 GEN-11 Management: DRIP SHOULD support monitoring of the health and 1146 coverage of Broadcast and Network RID services. 1148 Requirements imposed either by regulation or [F3411-19] are not 1149 reiterated here, but drive many of the numbered requirements listed 1150 here. The [NPRM] regulatory QoS requirement currently would be 1151 satisfied by ensuring information refresh rates of at least 1 Hertz, 1152 with latencies no greater than 1 second, at least 80% of the time, 1153 but these numbers may vary between jurisdictions and over time. So 1154 instead the DRIP QoS requirement is that performance, reliability, 1155 etc. parameters be user policy specifiable, which does not imply 1156 satisfiable in all cases, but (especially together with the 1157 management requirement) implies that when specifications are not met, 1158 appropriate parties are notified. The "provable ownership" 1159 requirement addresses the possibility that the actual sender is not 1160 the claimed sender (i.e. is a spoofer). The "provable binding" 1161 requirement addresses the MAC address correlation problem of 1162 [F3411-19] noted above. The "provable registration" requirement may 1163 impose burdens not only on the UAS sender and the Observer's 1164 receiver, but also on the registry; yet it cannot depend upon the 1165 Observer being able to contact the registry at the time of observing 1166 the UA. The "readability" requirement may involve machine assisted 1167 format conversions, e.g. from binary encodings. The "gateway" 1168 requirement is the only instance in which DRIP transports [F3411-19] 1169 messages; most of DRIP pertains to the authentication of such 1170 messages and the identifier carried within them. 1172 4.2. Identifier 1174 ID-1 Length: The DRIP (UAS) entity (remote) identifier must be no 1175 longer than 20 bytes (per [F3411-19] to fit in a Bluetooth 4 1176 advertisement payload). 1178 ID-2 Registry ID: The DRIP identifier MUST be sufficient to identify 1179 a registry in which the (UAS) entity identified therewith is 1180 listed. 1182 ID-3 Entity ID: The DRIP identifier MUST be sufficient to enable 1183 lookup of other data associated with the (UAS) entity 1184 identified therewith in that registry. 1186 ID-4 Uniqueness: The DRIP identifier MUST be unique within the 1187 global UAS RID identifier space from when it is first 1188 registered therein until it is explicitly de-registered 1189 therefrom (due to e.g. expiration after a specified lifetime 1190 such as the FAA's proposed 6 months RID data retention period, 1191 revocation by the registry, or surrender by the operator). 1193 ID-5 Non-spoofability: The DRIP identifier MUST be non-spoofable 1194 within the context of Remote ID broadcast messages (some 1195 collection of messages provides proof of UA ownership of ID). 1197 ID-6 Unlinkability: A DRIP UAS ID MUST NOT facilitate adversarial 1198 correlation over multiple UAS operations; this may be 1199 accomplished e.g. by limiting each identifier to a single use, 1200 but if so, the UAS ID MUST support well-defined scalable timely 1201 registration methods. 1203 The DRIP identifier can be used at various layers: in Broadcast RID, 1204 it would be used by the application running directly over the data 1205 link; in Network RID, it would be used by the application running 1206 over HTTPS (and possibly other protocols); and in RID initiated V2X 1207 applications such as DAA and C2, it could be used between the network 1208 and transport layers (with HIP or DTLS). 1210 Registry ID (which registry the entity is in) and Entity ID (which 1211 entity it is, within that registry) are requirements on a single DRIP 1212 entity Identifier, not separate (types of) ID. In the most common 1213 use case, the Entity will be the UA, and the DRIP Identifier will be 1214 the UAS ID; however, other entities may also benefit from having DRIP 1215 identifiers, so the Entity type is not prescribed here. 1217 Whether an UAS ID is generated by the operator, GCS, UA, USS or 1218 registry, or some collaboration thereamong, is unspecified; however, 1219 there must be agreement on the UAS ID among these entities. 1221 4.3. Privacy 1223 PRIV-1 Confidential Handling: DRIP MUST enable confidential handling 1224 of private information (i.e., any and all information 1225 designated by neither cognizant authority nor the information 1226 owner as public, e.g., personal data). 1228 PRIV-2 Encrypted Transport: DRIP MUST enable selective strong 1229 encryption of private data in motion in such a manner that 1230 only authorized actors can recover it. If transport is via 1231 IP, then encryption MUST be end-to-end, at or above the IP 1232 layer. DRIP MUST NOT encrypt safety critical data to be 1233 transmitted over Broadcast RID in any situation where it is 1234 unlikely that local observers authorized to access the 1235 plaintext will be able to decrypt it or obtain it from a 1236 service able to decrypt it. DRIP MUST NOT encrypt data when/ 1237 where doing so would conflict with applicable regulations or 1238 CAA policies/procedures, i.e. DRIP MUST support configurable 1239 disabling of encryption. 1241 PRIV-3 Encrypted Storage: DRIP SHOULD facilitate selective strong 1242 encryption of private data at rest in such a manner that only 1243 authorized actors can recover it. 1245 PRIV-4 Public/Private Designation: DRIP SHOULD facilitate 1246 designation, by cognizant authorities and information owners, 1247 which information is public and which private. By default, 1248 all information required to be transmitted via Broadcast RID, 1249 even when actually sent via Network RID, is assumed to be 1250 public; all other information contained in registries for 1251 lookup using the UAS ID is assumed to be private. 1253 PRIV-5 Pseudonymous Rendezvous: DRIP MAY enable mutual discovery of 1254 and communications among participating UAS operators whose UA 1255 are in 4-D proximity, using the UAS ID without revealing 1256 pilot/operator identity or physical location. 1258 How information is stored on end systems is out of scope for DRIP. 1259 Encouraging privacy best practices, including end system storage 1260 encryption, by facilitating it with protocol design reflecting such 1261 considerations, is in scope. Similar logic applies to methods for 1262 designating information as public or private. 1264 The privacy requirements above are for DRIP, neither for [F3411-19] 1265 (which requires obfuscation of location to any Network RID subscriber 1266 engaging in wide area surveillance, limits data retention periods, 1267 etc. in the interests of privacy), nor for UAS RID in any specific 1268 jurisdiction (which may have its own regulatory requirements). The 1269 requirements above are also in a sense parameterized: who are the 1270 "authorized actors", how are they designated, how are they 1271 authenticated, etc.? 1273 4.4. Registries 1275 REG-1 Public Lookup: DRIP MUST enable lookup, from the UAS ID, of 1276 information designated by cognizant authority as public, and 1277 MUST NOT restrict access to this information based on identity 1278 or role of the party submitting the query. 1280 REG-2 Private Lookup: DRIP MUST enable lookup of private information 1281 (i.e., any and all information in a registry, associated with 1282 the UAS ID, that is designated by neither cognizant authority 1283 nor the information owner as public), and MUST, per policy, 1284 enforce AAA, including restriction of access to this 1285 information based on identity or role of the party submitting 1286 the query. 1288 REG-3 Provisioning: DRIP MUST enable provisioning registries with 1289 static information on the UAS and its operator, dynamic 1290 information on its current operation within the U-space / UTM 1291 (including means by which the USS under which the UAS is 1292 operating may be contacted for further, typically even more 1293 dynamic, information), and Internet direct contact information 1294 for services related to the foregoing. 1296 REG-4 AAA Policy: DRIP MUST enable closing the AAA-policy registry 1297 loop by governing AAA per registered policies and 1298 administering policies only via AAA. 1300 Registries are fundamental to RID. Only very limited information can 1301 be Broadcast, but extended information is sometimes needed. The most 1302 essential element of information sent is the UAS ID itself, the 1303 unique key for lookup of extended information in registries. Beyond 1304 designating the UAS ID as that unique key, the registry information 1305 model is not specified herein, in part because regulatory 1306 requirements for different registries (UAS operators and their UA, 1307 each narrowly for UAS RID and broadly for U-space / UTM) and business 1308 models for meeting those requirements are in flux. However those may 1309 evolve, the essential registry functions remain the same, so are 1310 specified herein. 1312 5. IANA Considerations 1314 This document does not make any IANA request. 1316 6. Security Considerations 1318 DRIP is all about safety and security, so content pertaining to such 1319 is not limited to this section. Potential vulnerabilities of DRIP 1320 include but are not limited to: 1322 * Sybil attacks 1324 * Confusion created by many spoofed unsigned messages 1326 * Processing overload induced by attempting to verify many spoofed 1327 signed messages (where verification will fail but still consume 1328 cycles) 1330 * Malicious or malfunctioning registries 1332 * Interception of (e.g. Man In The Middle attacks on) registration 1333 messages 1335 * UA impersonation through private key extraction, improper key 1336 sharing or carriage of a small (presumably harmless) UA, e.g. as a 1337 "false flag", by a larger (malicious) UA 1339 It may be inferred from the Section 4.1 General requirements for 1340 Provable Ownership, Provable Binding and Provable Registration, 1341 together with the Section 4.2 Identifier requirements, that DRIP must 1342 provide: 1344 * message integrity / non-repudiation 1346 * defense against replay attacks 1348 * defense against spoofing 1350 One approach to so doing involves verifiably binding the DRIP 1351 identifier to a public key. Providing these security features, 1352 whether via this approach or another, is likely to be especially 1353 challenging for Observers without Internet connectivity at the time 1354 of observation. E.g. checking the signature of a registry on a 1355 public key certificate received via Broadcast RID in a remote area 1356 presumably would require that the registry's public key had been 1357 previously installed on the Observer's device, yet there may be many 1358 registries and the Observer's device may be storage constrained, and 1359 new registries may come on-line subsequent to installation of DRIP 1360 software on the Observer's device. Thus there may be caveats on the 1361 extent to which requirements can be satisfied in such cases, yet 1362 strenuous effort should be made to satisfy them, as such cases, e.g. 1363 firefighting in a national forest, are important. 1365 7. Privacy and Transparency Considerations 1367 Privacy is closely related to but not synonymous with security, and 1368 conflicts with transparency. Privacy and transparency are important 1369 for legal reasons including regulatory consistency. [EU2018] 1370 [EU2018] states "harmonised and interoperable national registration 1371 systems... should comply with the applicable Union and national law 1372 on privacy and processing of personal data, and the information 1373 stored in those registration systems should be easily accessible." 1375 Privacy and transparency (where essential to security or safety) are 1376 also ethical and moral imperatives. Even in cases where old 1377 practices (e.g. automobile registration plates) could be imitated, 1378 when new applications involving PII (such as UAS RID) are addressed 1379 and newer technologies could enable improving privacy, such 1380 opportunities should not be squandered. Thus it is recommended that 1381 all DRIP documents give due regard to [RFC6973] and more broadly 1382 [RFC8280]. 1384 DRIP information falls into two classes: that which, to achieve the 1385 purpose, must be published openly as cleartext, for the benefit of 1386 any Observer (e.g., the basic UAS ID itself); and that which must be 1387 protected (e.g., PII of pilots) but made available to properly 1388 authorized parties (e.g., public safety personnel who urgently need 1389 to contact pilots in emergencies). How properly authorized parties 1390 are authorized, authenticated, etc. are questions that extend beyond 1391 the scope of DRIP, but DRIP may be able to provide support for such 1392 processes. Classification of information as public or private must 1393 be made explicit and reflected with markings, design, etc. 1394 Classifying the information will be addressed primarily in external 1395 standards; herein it will be regarded as a matter for CAA, registry 1396 and operator policies, for which enforcement mechanisms will be 1397 defined within the scope of DRIP WG and offered. Details of the 1398 protection mechanisms will be provided in other DRIP documents. 1399 Mitigation of adversarial correlation will also be addressed. 1401 8. References 1402 8.1. Normative References 1404 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1405 Requirement Levels", BCP 14, RFC 2119, 1406 DOI 10.17487/RFC2119, March 1997, 1407 . 1409 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1410 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1411 May 2017, . 1413 8.2. Informative References 1415 [cpdlc] Gurtov, A., Polishchuk, T., and M. Wernberg, "Controller- 1416 Pilot Data Link Communication Security", MDPI 1417 Sensors 18(5), 1636, 2018, 1418 . 1420 [CTA2063A] ANSI, "Small Unmanned Aerial Systems Serial Numbers", 1421 September 2019. 1423 [Delegated] 1424 European Union Aviation Safety Agency (EASA), "Commission 1425 Delegated Regulation (EU) 2019/945 of 12 March 2019 on 1426 unmanned aircraft systems and on third-country operators 1427 of unmanned aircraft systems", March 2019. 1429 [drip-architecture] 1430 Card, S., Wiethuechter, A., Moskowitz, R., Zhao, S., and 1431 A. Gurtov, "Drone Remote Identification Protocol (DRIP) 1432 Architecture", Work in Progress, Internet-Draft, draft- 1433 ietf-drip-arch-04, 28 October 2020, 1434 . 1436 [ENISACSIRT] 1437 European Union Agency for Cybersecurity (ENISA), 1438 "Actionable information for Security Incident Response", 1439 November 2014, . 1443 [EU2018] European Parliament and Council, "2015/0277 (COD) PE-CONS 1444 2/18", February 2018. 1446 [F3411-19] ASTM International, "Standard Specification for Remote ID 1447 and Tracking", February 2020, 1448 . 1450 [FAACONOPS] 1451 FAA Office of NextGen, "UTM Concept of Operations v2.0", 1452 March 2020. 1454 [I-D.maeurer-raw-ldacs] 1455 Maeurer, N., Graeupl, T., and C. Schmitt, "L-band Digital 1456 Aeronautical Communications System (LDACS)", Work in 1457 Progress, Internet-Draft, draft-maeurer-raw-ldacs-06, 2 1458 October 2020, 1459 . 1461 [ICAOATM] International Civil Aviation Organization, "Doc 4444: 1462 Procedures for Air Navigation Services: Air Traffic 1463 Management", November 2016. 1465 [ICAOUAS] International Civil Aviation Organization, "Circular 328: 1466 Unmanned Aircraft Systems", February 2011. 1468 [ICAOUTM] International Civil Aviation Organization, "Unmanned 1469 Aircraft Systems Traffic Management (UTM) - A Common 1470 Framework with Core Principles for Global Harmonization, 1471 Edition 2", November 2019. 1473 [Implementing] 1474 European Union Aviation Safety Agency (EASA), "Commission 1475 Implementing Regulation (EU) 2019/947 of 24 May 2019 on 1476 the rules and procedures for the operation of unmanned 1477 aircraft", May 2019. 1479 [InitialView] 1480 SESAR Joint Undertaking, "Initial view on Principles for 1481 the U-space architecture", July 2019. 1483 [NPRM] United States Federal Aviation Administration (FAA), 1484 "Notice of Proposed Rule Making on Remote Identification 1485 of Unmanned Aircraft Systems", December 2019. 1487 [OpenDroneID] 1488 Intel Corp., "Open Drone ID", March 2019, 1489 . 1491 [Opinion1] European Union Aviation Safety Agency (EASA), "Opinion No 1492 01/2020: High-level regulatory framework for the U-space", 1493 March 2020. 1495 [Recommendations] 1496 FAA UAS Identification and Tracking Aviation Rulemaking 1497 Committee, "UAS ID and Tracking ARC Recommendations Final 1498 Report", September 2017. 1500 [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally 1501 Unique IDentifier (UUID) URN Namespace", RFC 4122, 1502 DOI 10.17487/RFC4122, July 2005, 1503 . 1505 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", 1506 FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, 1507 . 1509 [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., 1510 Morris, J., Hansen, M., and R. Smith, "Privacy 1511 Considerations for Internet Protocols", RFC 6973, 1512 DOI 10.17487/RFC6973, July 2013, 1513 . 1515 [RFC8280] ten Oever, N. and C. Cath, "Research into Human Rights 1516 Protocol Considerations", RFC 8280, DOI 10.17487/RFC8280, 1517 October 2017, . 1519 [Roadmap] American National Standards Institute (ANSI) Unmanned 1520 Aircraft Systems Standardization Collaborative (UASSC), 1521 "Standardization Roadmap for Unmanned Aircraft Systems 1522 draft v2.0", April 2020, . 1526 [Stranger] Heinlein, R.A., "Stranger in a Strange Land", June 1961. 1528 [WG105] EUROCAE, "WG-105 draft Minimum Operational Performance 1529 Standards (MOPS) for Unmanned Aircraft System (UAS) 1530 Electronic Identification", June 2020. 1532 Appendix A. Discussion and Limitations 1534 This document is largely based on the process of one SDO, ASTM. 1535 Therefore, it is tailored to specific needs and data formats of this 1536 standard. Other organizations, for example in EU, do not necessary 1537 follow the same architecture. 1539 The need for drone ID and operator privacy is an open discussion 1540 topic. For instance, in the ground vehicular domain each car carries 1541 a publicly visible plate number. In some countries, for nominal cost 1542 or even for free, anyone can resolve the identity and contact 1543 information of the owner. Civil commercial aviation and maritime 1544 industries also have a tradition of broadcasting plane or ship ID, 1545 coordinates and even flight plans in plain text. Community networks 1546 such as OpenSky and Flightradar use this open information through 1547 ADS-B to deploy public services of flight tracking. Many researchers 1548 also use these data to perform optimization of routes and airport 1549 operations. Such ID information should be integrity protected, but 1550 not necessarily confidential. 1552 In civil aviation, aircraft identity is broadcast by a device known 1553 as transponder. It transmits a four-digit squawk code, which is 1554 assigned by a traffic controller to an airplane after approving a 1555 flight plan. There are several reserved codes such as 7600 which 1556 indicate radio communication failure. The codes are unique in each 1557 traffic area and can be re-assigned when entering another control 1558 area. The code is transmitted in plain text by the transponder and 1559 also used for collision avoidance by a system known as Traffic alert 1560 and Collision Avoidance System (TCAS). The system could be used for 1561 UAS as well initially, but the code space is quite limited and likely 1562 to be exhausted soon. The number of UAS far exceeds the number of 1563 civil airplanes in operation. 1565 The ADS-B system is utilized in civil aviation for each "ADS-B Out" 1566 equipped airplane to broadcast its ID, coordinates and altitude for 1567 other airplanes and ground control stations. If this system is 1568 adopted for drone IDs, it has additional benefit with backward 1569 compatibility with civil aviation infrastructure; then, pilots and 1570 dispatchers will be able to see UA on their control screens and take 1571 those into account. If not, a gateway translation system between the 1572 proposed drone ID and civil aviation system should be implemented. 1573 Again, system saturation due to large numbers of UAS is a concern. 1575 Wi-Fi and Bluetooth are two wireless technologies currently 1576 recommended by ASTM specifications due to their widespread use and 1577 broadcast nature. However, those have limited range (max 100s of 1578 meters) and may not reliably deliver UAS ID at high altitude or 1579 distance. Therefore, a study should be made of alternative 1580 technologies from the telecom domain (WiMAX / IEEE 802.16, 5G) or 1581 sensor networks (Sigfox, LORA). Such transmission technologies can 1582 impose additional restrictions on packet sizes and frequency of 1583 transmissions, but could provide better energy efficiency and range. 1584 In civil aviation, Controller-Pilot Data Link Communications (CPDLC) 1585 is used to transmit command and control between the pilots and ATC. 1586 It could be considered for UAS as well due to long range and proven 1587 use despite its lack of security [cpdlc]. 1589 L-band Digital Aeronautical Communications System (LDACS) is being 1590 standardized by ICAO and IETF for use in future civil aviation 1591 [I-D.maeurer-raw-ldacs]. It provides secure communication, 1592 positioning and control for aircraft using a dedicated radio band. 1593 It should be analyzed as a potential provider for UAS RID as well. 1594 This will bring the benefit of a global integrated system creating a 1595 global airspace use awareness. 1597 Acknowledgments 1599 The work of the FAA's UAS Identification and Tracking (UAS ID) 1600 Aviation Rulemaking Committee (ARC) is the foundation of later ASTM 1601 [F3411-19] and IETF DRIP efforts. The work of Gabriel Cox, Intel 1602 Corp. and their Open Drone ID collaborators opened UAS RID to a wider 1603 community. The work of ASTM F38.02 in balancing the interests of 1604 diverse stakeholders is essential to the necessary rapid and 1605 widespread deployment of UAS RID. IETF volunteers who have 1606 extensively reviewed or otherwise contributed to this document 1607 include Amelia Andersdotter, Carsten Bormann, Mohamed Boucadair, 1608 Toerless Eckert, Susan Hares, Mika Jarvenpaa, Daniel Migault, 1609 Alexandre Petrescu, Saulo Da Silva and Shuai Zhao. 1611 Authors' Addresses 1613 Stuart W. Card (editor) 1614 AX Enterprize 1615 4947 Commercial Drive 1616 Yorkville, NY 13495 1617 United States of America 1619 Email: stu.card@axenterprize.com 1621 Adam Wiethuechter 1622 AX Enterprize 1623 4947 Commercial Drive 1624 Yorkville, NY 13495 1625 United States of America 1627 Email: adam.wiethuechter@axenterprize.com 1629 Robert Moskowitz 1630 HTT Consulting 1631 Oak Park, MI 48237 1632 United States of America 1634 Email: rgm@labs.htt-consult.com 1635 Andrei Gurtov 1636 Linköping University 1637 IDA 1638 SE-58183 Linköping 1639 Sweden 1641 Email: gurtov@acm.org