idnits 2.17.1 draft-ietf-ecrit-psap-callback-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (March 11, 2012) is 4427 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC3966' is defined on line 490, but no explicit reference was found in the text == Unused Reference: 'RFC3969' is defined on line 494, but no explicit reference was found in the text == Unused Reference: 'RFC5341' is defined on line 509, but no explicit reference was found in the text == Unused Reference: 'I-D.holmberg-emergency-callback-id' is defined on line 524, but no explicit reference was found in the text == Unused Reference: 'I-D.ietf-sip-saml' is defined on line 540, but no explicit reference was found in the text == Unused Reference: 'RFC5031' is defined on line 560, but no explicit reference was found in the text == Unused Reference: 'RFC5234' is defined on line 566, but no explicit reference was found in the text ** Downref: Normative reference to an Informational RFC: RFC 3325 ** Obsolete normative reference: RFC 4474 (Obsoleted by RFC 8224) -- No information found for draft-holmberg-emergency-callback-id - is the name correct? Summary: 2 errors (**), 0 flaws (~~), 10 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 ECRIT H. Schulzrinne 3 Internet-Draft Columbia University 4 Intended status: Standards Track H. Tschofenig 5 Expires: September 12, 2012 Nokia Siemens Networks 6 C. Holmberg 7 Ericsson 8 M. Patel 9 InterDigital Communications 10 March 11, 2012 12 Public Safety Answering Point (PSAP) Callback 13 draft-ietf-ecrit-psap-callback-04.txt 15 Abstract 17 After an emergency call is completed (either prematurely terminated 18 by the emergency caller or normally by the call taker) it is possible 19 that the call taker feels the need for further communication. For 20 example, the call may have been dropped by accident without the call 21 taker having sufficient information about the current situation of a 22 wounded person. A call taker may trigger a callback towards the 23 emergency caller using the contact information provided with the 24 initial emergency call. This callback could, under certain 25 circumstances, be treated like any other call and as a consequence it 26 may get blocked by authorization policies or may get forwarded to an 27 answering machine. 29 The IETF emergency services architecture specification already offers 30 a solution approach for allowing PSAP callbacks to bypass 31 authorization policies to reach the caller without unnecessary 32 delays. Unfortunately, the specified mechanism only supports limited 33 scenarios. This document discusses shortcomings of the current 34 mechanisms and illustrates additional scenarios where better-than- 35 normal call treatment behavior would be desirable. 37 Note that this version of the document does not yet specify a 38 solution due to the lack of the working group participants agreeing 39 on the requirements. 41 Status of This Memo 43 This Internet-Draft is submitted in full conformance with the 44 provisions of BCP 78 and BCP 79. 46 Internet-Drafts are working documents of the Internet Engineering 47 Task Force (IETF). Note that other groups may also distribute 48 working documents as Internet-Drafts. The list of current Internet- 49 Drafts is at http://datatracker.ietf.org/drafts/current/. 51 Internet-Drafts are draft documents valid for a maximum of six months 52 and may be updated, replaced, or obsoleted by other documents at any 53 time. It is inappropriate to use Internet-Drafts as reference 54 material or to cite them other than as "work in progress." 56 This Internet-Draft will expire on September 12, 2012. 58 Copyright Notice 60 Copyright (c) 2012 IETF Trust and the persons identified as the 61 document authors. All rights reserved. 63 This document is subject to BCP 78 and the IETF Trust's Legal 64 Provisions Relating to IETF Documents 65 (http://trustee.ietf.org/license-info) in effect on the date of 66 publication of this document. Please review these documents 67 carefully, as they describe your rights and restrictions with respect 68 to this document. Code Components extracted from this document must 69 include Simplified BSD License text as described in Section 4.e of 70 the Trust Legal Provisions and are provided without warranty as 71 described in the Simplified BSD License. 73 Table of Contents 75 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 76 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 77 3. Callback Scenarios . . . . . . . . . . . . . . . . . . . . . . 6 78 3.1. Routing Asymmetry . . . . . . . . . . . . . . . . . . . . 6 79 3.2. Multi-Stage Routing . . . . . . . . . . . . . . . . . . . 7 80 3.3. Call Forwarding . . . . . . . . . . . . . . . . . . . . . 8 81 3.4. Network-based Service URN Resolution . . . . . . . . . . . 10 82 3.5. PSTN Interworking . . . . . . . . . . . . . . . . . . . . 11 83 4. Specification . . . . . . . . . . . . . . . . . . . . . . . . 12 84 5. Security Considerations . . . . . . . . . . . . . . . . . . . 13 85 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 86 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 15 87 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16 88 8.1. Normative References . . . . . . . . . . . . . . . . . . . 16 89 8.2. Informative References . . . . . . . . . . . . . . . . . . 17 90 Appendix A. Alternative Solutions Considered . . . . . . . . . . 19 91 A.1. Identity-based Authorization . . . . . . . . . . . . . . . 19 92 A.2. Trait-based Authorization . . . . . . . . . . . . . . . . 20 93 A.3. Call Marking . . . . . . . . . . . . . . . . . . . . . . . 21 95 1. Introduction 97 Summoning police, the fire department or an ambulance in emergencies 98 is one of the fundamental and most-valued functions of the telephone. 99 As telephone functionality moves from circuit-switched telephony to 100 Internet telephony, its users rightfully expect that this core 101 functionality will continue to work at least as well as it has for 102 the legacy technology. New devices and services are being made 103 available that could be used to make a request for help, which are 104 not traditional telephones, and users are increasingly expecting them 105 to be used to place emergency calls. 107 An overview of the protocol interactions for emergency calling using 108 the IETF emergency services architecture are described in [RFC6444] 109 and [I-D.ietf-ecrit-phonebcp] specifies the technical details. As 110 part of the emergency call setup procedure two important identifiers 111 are conveyed to the PSAP call taker's user agent, namely the Address- 112 Of-Record (AoR), and, if available, the Globally Routable User Agent 113 (UA) URIs (GRUU). RFC 3261 [RFC3261] defines the AoR as: 115 'An address-of-record (AOR) is a SIP or SIPS URI that points to a 116 domain with a location service that can map the URI to another URI 117 where the user might be available. Typically, the location 118 service is populated through registrations. An AOR is frequently 119 thought of as the "public address" of the user.' 121 In SIP systems a single user can have a number of user agents 122 (handsets, softphones, voicemail accounts, etc.) which are all 123 referenced by the same AOR. There are a number of cases in which it 124 is desirable to have an identifier which addresses a single user 125 agent rather than the group of user agents indicated by an AOR. The 126 GRUU is such a unique user- agent identifier, which is still globally 127 routable. RFC 5627 [RFC5627] specifies how to obtain and use GRUUs. 128 [I-D.ietf-ecrit-phonebcp] also makes use of the GRUU for emergency 129 calls. 131 Regulatory requirements demand that the emergency call setup 132 procedure itself provides enough information to allow the call taker 133 to initiate a call back to the emergency caller. This is desirable 134 in those cases where the call got dropped prematurely or when further 135 communication need arises. The AoR and the GRUU serve this purpose. 137 The communication attempt by the PSAP call taker back to the 138 emergency caller is called 'PSAP callback'. 140 A PSAP callback may, however, be blocked by user configured 141 authorization policies or may be forwarded to an answering machine 142 since SIP entities (SIP proxies as well as the SIP user equipment 143 itself) cannot differentiate the PSAP callback from any other SIP 144 call. "Call barring", "do not disturb", or "call diversion"(aka call 145 forwarding) are features that prevent delivery of a call. It is 146 important to note that these features may be implemented by SIP 147 intermediaries as well as by the user agent. 149 Among the emergency services community there is the desire to offer 150 PSAP callbacks a treatment such that chances are increased that it 151 reaches the emergency caller. At the same time a design must deal 152 with the negative side-effects of allowing certain calls to bypass 153 call forwarding or other authorization policies. Ideally, the PSAP 154 callback has to relate to an earlier emergency call that was made 155 "not too long ago". An exact time interval is difficult to define in 156 a global IETF standard due to the variety of national regulatory 157 requirements. 159 To nevertheless meet the needs from the emergency services community 160 a basic mechanism for preferential treatment of PSAP callbacks was 161 defined in Section 13 of [RFC6444]. The specification says: 163 'A UA may be able to determine a PSAP call back by examining the 164 domain of incoming calls after placing an emergency call and 165 comparing that to the domain of the answering PSAP from the 166 emergency call. Any call from the same domain and directed to the 167 supplied Contact header or AoR after an emergency call should be 168 accepted as a callback from the PSAP if it occurs within a 169 reasonable time after an emergency call was placed.' 171 This approach mimics a stateful packet filtering firewall and is 172 indeed helpful in a number of cases. It is also relatively simple to 173 implement even though it requires state to be maintained by the user 174 agent as well as by SIP intermediaries. Unfortunately, the solution 175 does not work in all deployment scenarios. In Section 3 we describe 176 cases where the currently standardized approach is insufficient. 178 2. Terminology 180 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 181 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 182 document are to be interpreted as described in [RFC2119]. 184 Emergency services related terminology is borrowed from [RFC5012]. 185 This includes terminology like emergency caller, user equipment, and 186 call taker. 188 3. Callback Scenarios 190 This section illustrates a number of scenarios where the currently 191 specified solution, as specified in [I-D.ietf-ecrit-phonebcp], for 192 preferential treatment of callbacks fails. As explained in Section 1 193 a SIP entity examines an incoming PSAP call back by comparing the 194 domain of the PSAP with the destination domain of the emergency call. 196 3.1. Routing Asymmetry 198 In some deployment environments it is common to have incoming and 199 outgoing SIP messaging routed through different SIP entities. 200 Figure 1 shows this graphically whereby a VoIP provider uses 201 different SIP proxies for inbound and for outbound call handling. 202 Unless they two devices are state synchronized the callback hitting 203 the inbound proxy would get treated like any other call since the 204 emergency call established state information at the outbound proxy 205 only. 207 ,-------. 208 ,' `. 209 ,-------. / Emergency \ 210 ,' `. | Services | 211 / VoIP \ I | Network | 212 | Provider | n | | 213 | | t | | 214 | | e | | 215 | +-------+ | r | | 216 +--+---|Inbound|<--+-----m | | 217 | | |Proxy | | e | +------+ | 218 | | +-------+ | d | |PSAP | | 219 | | | i | +--+---+ | 220 +----+ | | | a-+ | | | 221 | UA |<---+ | | t | | | | 222 | |----+ | | e | | | | 223 +----+ | | | | | | | 224 | | | P | | | | 225 | | | r | | | | 226 | | +--------+ | o | | | | 227 +--+-->|Outbound|--+---->v | | +--+---+ | 228 | |Proxy | | i | | +-+ESRP | | 229 | +--------+ | d | | | +------+ | 230 | | e || | | 231 | | r |+-+ | 232 \ / | | 233 `. ,' \ / 234 '-------' `. ,' 235 '-------' 237 Figure 1: Example for Routing Asymmetry 239 3.2. Multi-Stage Routing 241 Consider the following emergency call routing scenario shown in 242 Figure 2 where routing towards the PSAP occurs in several stages. In 243 this scenario we consider a SIP UA that uses LoST to learn the next 244 hop destination closer to the PSAP. This call is then sent to the 245 user's VoIP provider. The user's VoIP provider receives the 246 emergency call and creates state based on the destination domain, 247 namely state.com. It then routes it to the indicated ESRP. When the 248 ESRP receives it it needs to decide what the next hop is to get it 249 closer to the PSAP. In our example the next hop is the PSAP with the 250 URI psap@town.com. 252 When a callback is sent from psap@town.com towards the emergency 253 caller the call will get normal treatment by the VoIP providers 254 inbound proxy since the domain of the PSAP does not match the stored 255 state information. 257 ,-------. 258 +----+ ,' `. 259 | UA |--- esrp1@foobar.com / Emergency \ 260 +----+ \ | Services | 261 \ ,-------. | Network | 262 ,' `. | | 263 / VoIP \ | +------+ | 264 ( Provider ) | |PSAP | | 265 \ / | +--+---+ | 266 `. ,' | | 267 '---+---' | | | 268 | |psap@town.com | 269 esrp@state.com | | | 270 | | | | 271 | | | | 272 | | +--+---+ | 273 +------------+---+ESRP | | 274 | +------+ | 275 | | 276 \ / 277 `. ,' 278 '-------' 280 Figure 2: Example for Multi-Stage Routing 282 3.3. Call Forwarding 284 Imagine the following case where an emergency call enters an 285 emergency network (state.org) via an ERSP but then gets forwarded to 286 a different emergency services network (in our example to police- 287 town.org, fire-town.org or medic-town.org). The same considerations 288 apply when the police, fire and ambulance networks are part of the 289 state.org sub-domains (e.g., police.state.org). 291 Similarly to the previous scenario the problem here is with the wrong 292 state information being established during the emergency call setup 293 procedure. A callback would originate in the police-town.org, fire- 294 town.org or medic-town.org domain whereas the emergency caller's SIP 295 UA or the VoIP outbound proxy has stored state.org. 297 ,-------. 298 ,' `. 299 / Emergency \ 300 | Services | 301 | Network | 302 | (state.org) | 303 | | 304 | | 305 | +------+ | 306 | |PSAP +--+ | 307 | +--+---+ | | 308 | | | | 309 | | | | 310 | | | | 311 | | | | 312 | | | | 313 | +--+---+ | | 314 ------------------+---+ESRP | | | 315 esrp-a@state.org | +------+ | | 316 | | | 317 | Call Fwd | | 318 | +-+-+---+ | 319 \ | | | / 320 `. | | | ,' 321 '-|-|-|-' ,-------. 322 Police | | | Fire ,' `. 323 +------------+ | +----+ / Emergency \ 324 ,-------. | | | | Services | 325 ,' `. | | | | Network | 326 / Emergency \ | Ambulance | | fire-town.org | 327 | Services | | | | | | 328 | Network | | +----+ | | +------+ | 329 |police-town.org| | ,-------. | +----+---+PSAP | | 330 | | | ,' `. | | +------+ | 331 | +------+ | | / Emergency \ | | | 332 | |PSAP +----+--+ | Services | | | , 333 | +------+ | | Network | | `~~~~~~~~~~~~~~~ 334 | | |medic-town.org | | 335 | , | | | 336 `~~~~~~~~~~~~~~~ | +------+ | | 337 | |PSAP +----+ + 338 | +------+ | 339 | | 340 | , 341 `~~~~~~~~~~~~~~~ 343 Figure 3: Example for Call Forwarding 345 3.4. Network-based Service URN Resolution 347 The IETF emergency services architecture also considers cases where 348 the resolution from the Service URN to the PSAP URI does not only 349 happen at the SIP UA itself but at intermediate SIP entities, such as 350 the user's VoIP provider. 352 Figure 4 shows this message exchange of the outgoing emergency call 353 and the incoming PSAP graphically. While the state information 354 stored at the VoIP provider is correct the state allocated at the SIP 355 UA is not. 357 ,-------. 358 ,' `. 359 / Emergency \ 360 | Services | 361 | Network | 362 |police-town.org| 363 | | 364 | +------+ | Invite to police.example.com 365 | |PSAP +<---+------------------------+ 366 | | +----+------------------+ ^ 367 | +------+ |Invite from | | 368 | ,police.example.com| | 369 `~~~~~~~~~~~~~~~ v | 370 +--------+ ++-----+-+ 371 | | query |VoIP | 372 | LoST |<-----------------------|Service | 373 | Server | police.example.com |Provider| 374 | |----------------------->| | 375 +--------+ +--------+ 376 | ^ 377 Invite| | Invite 378 from| | to 379 police.example.com| | urn:service:sos 380 V | 381 +-------+ 382 | SIP | 383 | UA | 384 | Alice | 385 +-------+ 387 Figure 4: Example for Network-based Service URN Resolution 389 3.5. PSTN Interworking 391 In case an emergency call enters the PSTN, as shown in Figure 5, 392 there is no guarantee that the callback some time later does leave 393 the same PSTN/VoIP gateway or that the same end point identifier is 394 used in the forward as well as in the backward direction making it 395 difficult to reliably detect PSAP callbacks. 397 +-----------+ 398 | PSTN |-------------+ 399 | Calltaker | | 400 | Bob |<--------+ | 401 +-----------+ | v 402 ------------------- 403 //// \\\\ +------------+ 404 | | |PSTN / VoIP | 405 | PSTN |---->|Gateway | 406 \\\\ //// | | 407 ------------------- +----+-------+ 408 ^ | 409 | | 410 +-------------+ | +--------+ 411 | | | |VoIP | 412 | PSTN / VoIP | +->|Service | 413 | Gateway | |Provider| 414 | |<------Invite----| Y | 415 +-------------+ +--------+ 416 | ^ 417 | | 418 Invite Invite 419 | | 420 V | 421 +-------+ 422 | SIP | 423 | UA | 424 | Alice | 425 +-------+ 427 Figure 5: Example for PSTN Interworking 429 Note: This scenario is considered outside the scope of this document. 430 The specified solution does not support this use case. 432 4. Specification 434 [Editor's Note: The specification for a solution that meets the 435 requirements will be placed in here.] 437 5. Security Considerations 439 [Editor's Note: Instead of an abstract security description text will 440 be provided with the solution description.] 442 6. IANA Considerations 444 [Editor's Note: IANA consideration text will be added once an 445 agreement on the solution has been reached. 447 7. Acknowledgements 449 We would like to thank members from the ECRIT working group, in 450 particular Brian Rosen, for their discussions around PSAP callbacks. 451 The working group discussed the topic of callbacks at their virtual 452 interim meeting in February 2010 and the following persons provided 453 valuable input: John Elwell, Bernard Aboba, Cullen Jennings, Keith 454 Drage, Marc Linsner, Roger Marshall, Dan Romascanu, Geoff Thompson, 455 Janet Gunn. 457 At IETF#81 a small group of people got to together to continue the 458 discussions started at the working group meeting to explore a GRUU- 459 based solution approach. Martin Thomson, Marc Linsner, Andrew Allen, 460 Brian Rosen, Martin Dolly, and Atle Monrad participated at this side- 461 meeting. 463 Finally, we would like to thank Cullen Jennings for his discussion 464 input. He was the first to propose a "token-based" solution. 466 8. References 468 8.1. Normative References 470 [RFC2119] Bradner, S., "Key words for use 471 in RFCs to Indicate Requirement 472 Levels", BCP 14, RFC 2119, 473 March 1997. 475 [RFC3261] Rosenberg, J., Schulzrinne, H., 476 Camarillo, G., Johnston, A., 477 Peterson, J., Sparks, R., 478 Handley, M., and E. Schooler, 479 "SIP: Session Initiation 480 Protocol", RFC 3261, June 2002. 482 [RFC3325] Jennings, C., Peterson, J., and 483 M. Watson, "Private Extensions 484 to the Session Initiation 485 Protocol (SIP) for Asserted 486 Identity within Trusted 487 Networks", RFC 3325, 488 November 2002. 490 [RFC3966] Schulzrinne, H., "The tel URI 491 for Telephone Numbers", 492 RFC 3966, December 2004. 494 [RFC3969] Camarillo, G., "The Internet 495 Assigned Number Authority 496 (IANA) Uniform Resource 497 Identifier (URI) Parameter 498 Registry for the Session 499 Initiation Protocol (SIP)", 500 BCP 99, RFC 3969, 501 December 2004. 503 [RFC4474] Peterson, J. and C. Jennings, 504 "Enhancements for Authenticated 505 Identity Management in the 506 Session Initiation Protocol 507 (SIP)", RFC 4474, August 2006. 509 [RFC5341] Jennings, C. and V. Gurbani, 510 "The Internet Assigned Number 511 Authority (IANA) tel Uniform 512 Resource Identifier (URI) 513 Parameter Registry", 514 September 2008. 516 [RFC5627] Rosenberg, J., "Obtaining and 517 Using Globally Routable User 518 Agent URIs (GRUUs) in the 519 Session Initiation Protocol 520 (SIP)", RFC 5627, October 2009. 522 8.2. Informative References 524 [I-D.holmberg-emergency-callback-id] Holmberg, C., "Session 525 Initiation Protocol (SIP) 526 emergency call back 527 identification", draft- 528 holmberg-emergency-callback-id- 529 00 (work in progress), 530 October 2011. 532 [I-D.ietf-ecrit-phonebcp] Rosen, B. and J. Polk, "Best 533 Current Practice for 534 Communications Services in 535 support of Emergency Calling", 536 draft-ietf-ecrit-phonebcp-20 537 (work in progress), 538 September 2011. 540 [I-D.ietf-sip-saml] Tschofenig, H., Hodges, J., 541 Peterson, J., Polk, J., and D. 542 Sicker, "SIP SAML Profile and 543 Binding", 544 draft-ietf-sip-saml-08 (work in 545 progress), October 2010. 547 [RFC4484] Peterson, J., Polk, J., Sicker, 548 D., and H. Tschofenig, "Trait- 549 Based Authorization 550 Requirements for the Session 551 Initiation Protocol (SIP)", 552 RFC 4484, August 2006. 554 [RFC5012] Schulzrinne, H. and R. 555 Marshall, "Requirements for 556 Emergency Context Resolution 557 with Internet Technologies", 558 RFC 5012, January 2008. 560 [RFC5031] Schulzrinne, H., "A Uniform 561 Resource Name (URN) for 562 Emergency and Other Well-Known 563 Services", RFC 5031, 564 January 2008. 566 [RFC5234] Crocker, D. and P. Overell, 567 "Augmented BNF for Syntax 568 Specifications: ABNF", STD 68, 569 RFC 5234, January 2008. 571 [RFC6444] Schulzrinne, H., Liess, L., 572 Tschofenig, H., Stark, B., and 573 A. Kuett, "Location Hiding: 574 Problem Statement and 575 Requirements", RFC 6444, 576 January 2012. 578 Appendix A. Alternative Solutions Considered 580 In an attempt to describe the problem and to explore solution 581 approaches the working group had also investigated alternative 582 approaches. We document them here for completeness. The solutions 583 fall into three categories: (1) Identity-based authorization, (2) 584 Trait-based authorization, and (3) Call Marking. Even though these 585 solutions are not mutually exclusive we describe them in separate 586 sub-sections. 588 Beyond the disadvantages listed in each solution category none of 589 them provides the emergency caller with the ability to restrict 590 preferential PSAP callback handling to those cases where an earlier 591 emergency call was initiated. 593 A.1. Identity-based Authorization 595 In Figure 6 an interaction is presented that allows a SIP entity to 596 make a policy decision whether to bypass installed authorization 597 policies and thereby providing preferential treatment. To make this 598 decision the sender's identity is compared with a whitelist of valid 599 PSAPs. The identity assurances in SIP can come in different forms, 600 such as SIP Identity [RFC4474] or with P-Asserted-Identity [RFC3325]. 601 The former technique relies on a cryptographic assurance and the 602 latter on a chain of trust. 604 +----------+ 605 | List of |+ 606 | valid || 607 | PSAP ids || 608 +----------+| 609 +----------+ 610 * 611 * whitelist 612 * 613 V 614 Incoming +----------+ Normal 615 SIP Msg | SIP |+ Treatment 616 -------------->| Entity ||=============> 617 + Identity | ||(if not in whitelist) 618 +----------+| 619 +----------+ 620 || 621 || 622 || Preferential 623 || Treatment 624 ++=============> 625 (in whitelist) 627 Figure 6: Identity-based Authorization 629 This approach was not chosen because the establishment of a whitelist 630 containing PSAP identities is operationally complex and does not 631 easily scale world wide. Only when there is a local relationship 632 between the VSP/ASP and the PSAP then populating the whitelist is far 633 simpler. This would, however, constrain the applicability of the 634 mechanism considerably. 636 A.2. Trait-based Authorization 638 An alternative approach to an identity based authorization model is 639 outlined in Figure 7. In fact, RFC 4484 [RFC4484] illustrates a 640 related emergency service use case. 642 +----------+ 643 | List of |+ 644 | trust || 645 | anchor || 646 +----------+| 647 +----------+ 648 * 649 * 650 * 651 V 652 Incoming +----------+ Normal 653 SIP Msg | SIP |+ Treatment 654 -------------->| Entity ||=============> 655 + trait | ||(no indication 656 +----------+| of PSAP) 657 +----------+ 658 || 659 || 660 || Preferential 661 || Treatment 662 ++=============> 663 (indicated as 664 PSAP) 666 Figure 7: Trait-based Authorization 668 In a trait-based authorization scenario an incoming SIP message 669 contains a form of trait, i.e. some form of assertion. The assertion 670 contains an indication that the sending party has the role of a PSAP 671 (or similar emergency services entity). The assertion is either 672 cryptographically protected to enable end-to-end verification or an 673 chain of trust security model has to be assumed. In Figure 7 we 674 assume an end-to-end security model where trust anchors are 675 provisioned to ensure the ability for a SIP entity to verify the 676 received assertion. 678 This solution was not chosen because trait-based authorization never 679 got deployed in SIP. Furthermore, in order to ensure that the 680 assertions are properly protected it is necessary to digitally sign, 681 which requires some form of public key infrastructure for usage with 682 emergency services. Finally, there need to be some policies in place 683 that define which entities are allowed to obtain various roles. 684 These policies and procedures do not exist today. 686 A.3. Call Marking 688 Call marking allows the PSAP to place a non-cryptographic label on 689 outgoing calls that gives, when received by a SIP entity, 690 preferential treatment for these callbacks. 692 When used in isolation this mechanism introduces considerable denial 693 of service attacks due to the ability to bypass any authorization 694 policies and could be utilized to distribute unwanted traffic. 696 Authors' Addresses 698 Henning Schulzrinne 699 Columbia University 700 Department of Computer Science 701 450 Computer Science Building 702 New York, NY 10027 703 US 705 Phone: +1 212 939 7004 706 EMail: hgs+ecrit@cs.columbia.edu 707 URI: http://www.cs.columbia.edu 709 Hannes Tschofenig 710 Nokia Siemens Networks 711 Linnoitustie 6 712 Espoo 02600 713 Finland 715 Phone: +358 (50) 4871445 716 EMail: Hannes.Tschofenig@gmx.net 717 URI: http://www.tschofenig.priv.at 719 Christer Holmberg 720 Ericsson 721 Hirsalantie 11 722 Jorvas 02420 723 Finland 725 EMail: christer.holmberg@ericsson.com 727 Milan Patel 728 InterDigital Communications 730 EMail: Milan.Patel@interdigital.com