idnits 2.17.1 draft-ietf-ecrit-trustworthy-location-11.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (1 June 2014) is 3588 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Unused Reference: 'I-D.ietf-stir-problem-statement' is defined on line 998, but no explicit reference was found in the text == Unused Reference: 'I-D.jennings-stir-rfc4474bis' is defined on line 1008, but no explicit reference was found in the text == Outdated reference: A later version (-04) exists of draft-ietf-stir-threats-02 -- Obsolete informational reference (is this intentional?): RFC 2818 (Obsoleted by RFC 9110) -- Obsolete informational reference (is this intentional?): RFC 4474 (Obsoleted by RFC 8224) -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) -- Obsolete informational reference (is this intentional?): RFC 5751 (Obsoleted by RFC 8551) Summary: 0 errors (**), 0 flaws (~~), 4 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 ECRIT Working Group H. Tschofenig 3 INTERNET-DRAFT ARM Ltd. 4 Category: Informational H. Schulzrinne 5 Expires: December 2, 2014 Columbia University 6 B. Aboba (ed.) 7 Microsoft Corporation 8 1 June 2014 10 Trustworthy Location 11 draft-ietf-ecrit-trustworthy-location-11.txt 13 Abstract 15 The trustworthiness of location information is critically important 16 for some location-based applications, such as emergency calling or 17 roadside assistance. 19 This document describes threats relating to conveyance of location an 20 emergency call, and describes techniques that improve the reliability 21 and security of location information conveyed in a IP-based emergency 22 service call. It also provides guidelines for assessing the 23 trustworthiness of location information. 25 Status of This Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at http://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on December 2, 2014. 42 Copyright Notice 44 Copyright (c) 2014 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (http://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the Simplified BSD License. 57 Table of Contents 59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 61 1.2 Literature review . . . . . . . . . . . . . . . . . . . . 5 62 2. Threat Model . . . . . . . . . . . . . . . . . . . . . . . . 7 63 2.1. Location Spoofing . . . . . . . . . . . . . . . . . . . . 8 64 2.2. Identity Spoofing . . . . . . . . . . . . . . . . . . . . 9 65 3. Mitigation Techniques . . . . . . . . . . . . . . . . . . . . 9 66 3.1. Signed Location by Value . . . . . . . . . . . . . . . . . 10 67 3.2. Location by Reference . . . . . . . . . . . . . . . . . . 13 68 3.3. Proxy Adding Location . . . . . . . . . . . . . . . . . . 16 69 4. Location Trust Assessment . . . . . . . . . . . . . . . . . . 18 70 5. Security Considerations . . . . . . . . . . . . . . . . . . . 20 71 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 72 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 22 73 7.1. Informative references . . . . . . . . . . . . . . . . . . 22 74 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 25 75 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 25 77 1. Introduction 79 Several public and commercial services depend upon location 80 information in their operations. This includes emergency services 81 (such as fire, ambulance and police) as well as commercial services 82 such as food delivery and roadside assistance. 84 For circuit-switched calls from landlines, as well as for Voice over 85 IP (VoIP) services only supporting emergency service calls from 86 stationary devices, location provided to the Public Safety Answering 87 Point (PSAP) is determined from a lookup using the calling telephone 88 number. As a result, for landlines or stationary VoIP, spoofing of 89 caller identification can result in the PSAP incorrectly determining 90 the caller's location. Problems relating to calling party number and 91 Caller ID assurance have been analyzed by the "Secure Telephone 92 Identity Revisited" [STIR] Working Group as described in "Secure 93 Telephone Identity Problem Statement and Requirements" [I-D.ietf- 94 stir-problem-statement]. In addition to the work underway in STIR, 95 other mechanisms exist for validating caller identification. For 96 example, as noted in [EENA], one mechanism for validating caller 97 identification information (as well as the existence of an emergency) 98 is for the PSAP to call the user back, as described in [RFC7090]. 100 Given the existing work on caller identification, this document 101 focuses on the additional threats that are introduced by the support 102 of IP-based emergency services in nomadic and mobile devices, in 103 which location may be conveyed to the PSAP within the emergency call. 104 Ideally, a call taker at a PSAP should be able to assess, in real- 105 time, the level of trust that can be placed on the information 106 provided within a call. This includes automated location conveyed 107 along with the call and location information communicated by the 108 caller, as well as identity information relating to the caller or the 109 device initiating the call. Where real-time assessment is not 110 possible, it is important to be able to determine the source of the 111 call in a post-incident investigation, so as to be able to enforce 112 accountability. 114 This document defines terminology (including the meaning of 115 "trustworthy location") in Section 1.1, reviews existing work in 116 Section 1.2, describes the threat model in Section 2, outlines 117 potential mitigation techniques in Section 3, covers trust assessment 118 in Section 4 and discusses security considerations in Section 5. 120 1.1. Terminology 122 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 123 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 124 document are to be interpreted as described in [RFC2119]. 126 The definitions of "Internet Access Provider (IAP)", "Internet 127 Service Provider (ISP)" and "Voice Service Provider (VSP)" are taken 128 from "Requirements for Emergency Context Resolution with Internet 129 Technologies" [RFC5012]. 131 The definition of a "hoax call" is taken from "False Emergency Calls" 132 [EENA]. 134 The definition of "Target" and "Device" is taken from "An 135 Architecture for Location and Location Privacy in Internet 136 Applications" [RFC6280]. 138 The term "location determination method" refers to the mechanism used 139 to determine the location of a Target. This may be something 140 employed by a location information server (LIS), or by the Target 141 itself. It specifically does not refer to the location configuration 142 protocol (LCP) used to deliver location information either to the 143 Target or the Recipient. This term is re-used from "GEOPRIV PIDF-LO 144 Usage Clarification, Considerations, and Recommendations" [RFC5491]. 146 The term "source" is used to refer to the LIS, node, or device from 147 which a Recipient (Target or Third-Party) obtains location 148 information. 150 Additionally, the terms Location-by-Value (LbyV), Location-by- 151 Reference (LbyR), Location Configuration Protocol, Location 152 Dereference Protocol, and Location Uniform Resource Identifier (URI) 153 are re-used from "Requirements for a Location-by-Reference Mechanism" 154 [RFC5808]. 156 "Trustworthy Location" is defined as location information that can be 157 attributed to a trusted source, has been protected against 158 modification in transmit, and has been assessed as trustworthy. 160 "Location Trust Assessment" refers to the process by which the 161 reliability of location information can be assessed. This topic is 162 discussed in Section 4. 164 "Identity Spoofing" is where the attacker forges or obscures their 165 identity so as to prevent themselves from being identified as the 166 source of the attack. One class of identity spoofing attack involves 167 the forging of call origin identification. 169 The following additional terms apply to location spoofing: 171 "Place Shifting" is where the attacker constructs a Presence 172 Information Data Format Location Object (PIDF-LO) for a location 173 other than where they are currently located. In some cases, place 174 shifting can be limited in range (e.g., within the coverage area of a 175 particular cell tower). 177 "Time Shifting" is where the attacker uses or re-uses location 178 information that was valid in the past, but is no longer valid 179 because the attacker has moved. 181 "Location Theft" is where the attacker captures a Target's location 182 information (possibly including a signature) and presents it as their 183 own. Location theft can occur in a single instance, or may be 184 continuous (e.g., where the attacker has gained control over the 185 victim's device). Location theft may also be combined with time 186 shifting to present someone else's location information after the 187 original Target has moved. 189 1.2. Literature Review 191 There is existing work on the problem of hoax calls, as well as 192 analyses of aspects of the security of emergency services, threats to 193 geographic location privacy, threats relating to spoofing of caller 194 identification and modification of location information in transit. 195 This section reviews the literature. 197 1.2.1. Hoax Calls 199 Hoax calls have been a problem for emergency services dating back to 200 the time of street corner call boxes. As the European Emergency 201 Number Association (EENA) has noted [EENA]: "False emergency calls 202 divert emergency services away from people who may be in life- 203 threatening situations and who need urgent help. This can mean the 204 difference between life and death for someone in trouble." 206 EENA [EENA] has attempted to define terminology and describe best 207 current practices for dealing with false emergency calls. Reducing 208 the number of hoax calls represents a challenge, since emergency 209 services authorities in most countries are required to answer every 210 call (whenever possible). Where the caller cannot be identified, the 211 ability to prosecute is limited. 213 A particularly dangerous form of hoax call is "swatting" - a hoax 214 emergency call that draws a response from law enforcement prepared 215 for a violent confrontation (e.g. a fake hostage situation that 216 results in dispatching of a "Special Weapons And Tactics" (SWAT) 217 team). In 2008 the Federal Bureau of Investigation (FBI) issued a 218 warning [Swatting] about an increase in the frequency and 219 sophistication of these attacks. 221 As noted in [EENA], many documented cases of "swatting" involve not 222 only the faking of an emergency, but also falsification or 223 obfuscation of identity. There are a number of techniques by which 224 hoax callers attempt to avoid identification, and in general, the 225 ability to identify the caller appears to influence the incidence of 226 hoax calls. 228 Where a Voice Service Provider enables setting of the outbound caller 229 identification without checking it against the authenticated 230 identity, forging caller identification is trivial. Similarly where 231 an attacker can gain entry to a Private Branch Exchange (PBX), they 232 can then subsequently use that access to launch a denial of service 233 attack against the PSAP, or to make fraudulent emergency calls. 234 Where emergency calls have been allowed from handsets lacking a SIM 235 card, or where ownership of the SIM card cannot be determined, the 236 frequency of hoax calls has often been unacceptably high 237 [TASMANIA][UK][SA]. 239 However, there are few documented cases of hoax calls that have 240 arisen from conveyance of untrustworthy location information within 241 an emergency call, which is the focus of this document. 243 1.2.2. Existing IETF Work 245 The Internet architecture for emergency calling is described in 246 "Framework for Emergency Calling Using Internet Multimedia" [RFC6443] 247 and "Best Current Practice for Communications Services in Support of 248 Emergency Calling" [RFC6881]. The conveyance of location information 249 within the Session Initiation Protocol (SIP) is described in 250 "Location Conveyance for the Session Initiation Protocol" [RFC6442], 251 which in the Security Considerations (Section 7) includes discussion 252 of privacy, authentication and integrity concerns relating to 253 conveyed location. Note that while [RFC6442] does not prohibit the 254 conveyance of location within non-emergency calls, in practice, 255 location conveyance requires additional infrastructure as described 256 in [RFC6443]. As a result, privacy issues inherent in conveyance of 257 location within non-emergency calls are not considered within 258 [RFC6442]. 260 "Secure Telephone Identity Threat Model" [I-D.ietf-stir-threats] 261 analyzes threats relating to impersonation and obscuring of calling 262 party numbers, reviewing the capabilities available to attackers, and 263 the scenarios in which attacks are launched. 265 "An Architecture for Location and Location Privacy in Internet 266 Applications" [RFC6280] describes an architecture for privacy- 267 preserving location-based services in the Internet, focusing on 268 authorization, security and privacy requirements for the data formats 269 and protocols used by these services. Within the Security 270 Considerations (Section 5), mechanisms for ensuring the security of 271 the location distribution chain are discussed; these include 272 mechanisms for hop-by-hop confidentiality and integrity protection as 273 well as end-to-end assurance. As noted in Section 6.3: 275 "there are three critical steps in the placement of an emergency 276 call, each involving location information: 278 1. Determine the location of the caller. 280 2. Determine the proper Public Safety Answering Point (PSAP) for 281 the caller's location. 283 3. Send a SIP INVITE message, including the caller's location, to 284 the PSAP." 286 "Geopriv Requirements" [RFC3693] focuses on the authorization, 287 security and privacy requirements of location-dependent services, 288 including emergency services. Within the Security Considerations 289 (Section 8), this includes discussion of emergency services 290 authentication (Section 8.3), and issues relating to identity and 291 anonymity (Section 8.4). 293 "Threat Analysis of the Geopriv Protocol" [RFC3694] describes threats 294 against geographic location privacy, including protocol threats, 295 threats resulting from the storage of geographic location data, and 296 threats posed by the abuse of information. 298 "Security Threats and Requirements for Emergency Call Marking and 299 Mapping" [RFC5069] reviews security threats associated with the 300 marking of signalling messages and the process of mapping locations 301 to Universal Resource Identifiers (URIs) that point to PSAPs. RFC 302 5069 describes attacks on the emergency services system, such as 303 attempting to deny system services to all users in a given area, to 304 gain fraudulent use of services and to divert emergency calls to non- 305 emergency sites. In addition, it describes attacks against 306 individuals, including attempts to prevent an individual from 307 receiving aid, or to gain information about an emergency, as well as 308 attacks on emergency services infrastructure elements, such as 309 mapping discovery and mapping servers. 311 2. Threat Model 313 To provide a structured analysis we distinguish between three 314 adversary models: 316 External adversary model: The end host, e.g., an emergency caller 317 whose location is going to be communicated, is honest and the 318 adversary may be located between the end host and the location 319 server or between the end host and the PSAP. None of the 320 emergency service infrastructure elements act maliciously. 322 Malicious infrastructure adversary model: The emergency call routing 323 elements, such as the Location Information Server (LIS), the 324 Location-to-Service Translation (LoST) infrastructure, used for 325 mapping locations to PSAP address, or call routing elements, may 326 act maliciously. 328 Malicious end host adversary model: The end host itself acts 329 maliciously, whether the owner is aware of this or whether it is 330 acting under the control of a third party. 332 Since previous work describes attacks against infrastructure elements 333 (e.g. location servers, call route servers, mapping servers) or the 334 emergency services IP network, as well as threats from attackers 335 attempting to snoop location in transit, this document focuses on the 336 threats arising from end hosts providing false location information 337 within emergency calls (the malicious end host adversary model). 339 Since the focus is on malicious hosts, we do not cover threats that 340 may arise from attacks on infrastructure that hosts depend on to 341 obtain location. For example, end hosts may obtain location from 342 civilian GPS, which is vulnerable to spoofing [GPSCounter] or from 343 third party Location Service Providers (LSPs) which may be vulnerable 344 to attack or may not provide location accuracy suitable for emergency 345 purposes. 347 Also, we do not cover threats arising from inadequate location 348 infrastructure. For example, a stale wiremap or an inaccurate access 349 point location database could be utilized by the Location Information 350 Server (LIS) or the end host in its location determination, thereby 351 leading to an inaccurate determination of location. Similarly, a 352 Voice Service Provider (VSP) (and indirectly a LIS) could utilize the 353 wrong identity (such as an IP address) for location lookup, thereby 354 providing the end host with misleading location information. 356 2.1. Location Spoofing 358 Where location is attached to the emergency call by an end host, the 359 end host can fabricate a PIDF-LO and convey it within an emergency 360 call. The following represent examples of location spoofing: 362 Place shifting: Trudy, the adversary, pretends to be at an 363 arbitrary location. 365 Time shifting: Trudy pretends to be at a location she was a 366 while ago. 368 Location theft: Trudy observes or obtains Alice's location and 369 replays it as her own. 371 2.2. Identity Spoofing 373 While this document does not focus on the problems created by 374 determination of location based on spoofed caller identification, the 375 ability to ascertain identity is important, since the threat of 376 punishment reduces hoax calls. As an example, calls from pay phones 377 are subject to greater scrutiny by the call taker. 379 With calls originating on an IP network, at least two forms of 380 identity are relevant, with the distinction created by the split 381 between the IAP and the VSP: 383 (a) network access identity such as might be determined via 384 authentication (e.g., using the Extensible Authentication Protocol 385 (EAP) [RFC3748]); 387 (b) caller identity, such as might be determined from authentication 388 of the emergency caller at the VoIP application layer. 390 If the adversary did not authenticate itself to the VSP, then 391 accountability may depend on verification of the network access 392 identity. However, this also may not have been authenticated, such 393 as in the case where an open IEEE 802.11 Access Point is used to 394 initiate a hoax emergency call. Although endpoint information such 395 as the IP or MAC address may have been logged, tying this back to the 396 device owner may be challenging. 398 Unlike the existing telephone system, VoIP emergency calls can 399 provide an identity that need not necessarily be coupled to a 400 business relationship with the IAP, ISP or VSP. However, due to the 401 time-critical nature of emergency calls, multi-layer authentication 402 is undesirable, so that in most cases, only the device placing the 403 call will be able to be identified. Furthermore, deploying 404 additional credentials for emergency service purposes (such as 405 certificates) increases costs, introduces a significant 406 administrative overhead and is only useful if widely deployed. 408 3. Mitigation Techniques 410 The sections that follow present three mechanisms for mitigating the 411 threats presented in Section 2: 413 1. Signed location by value (Section 3.1), which provides for 414 authentication and integrity protection of the PIDF-LO. At the 415 time of this writing, there is only an expired straw-man proposal 416 for this mechanism [I-D.thomson-geopriv-location-dependability], 417 so that it is not suitable for deployment. 419 2. Location-by-reference (Section 3.2), which enables location to 420 be obtained by the PSAP directly from the location server, over a 421 confidential and integrity-protected channel, avoiding 422 modification by the end-host or an intermediary. This mechanism 423 is specified in [RFC6753]. 425 3. Proxy added location (Section 3.3), which protects against 426 location forgery by the end host. This mechanism is specified in 427 [RFC6442]. 429 3.1. Signed Location by Value 431 With location signing, a location server signs the location 432 information before it is sent to the Target. The signed location 433 information is then sent to the location recipient, who verifies it. 435 Figure 1 shows the communication model with the target requesting 436 signed location in step (a), the location server returns it in step 437 (b) and it is then conveyed to the location recipient in step (c) who 438 verifies it. For SIP, the procedures described in "Location 439 Conveyance for the Session Initiation Protocol" [RFC6442] are 440 applicable for location conveyance. 442 +-----------+ +-----------+ 443 | | | Location | 444 | LIS | | Recipient | 445 | | | | 446 +-+-------+-+ +----+------+ 447 ^ | --^ 448 | | -- 449 Geopriv |Req. | -- 450 Location |Signed |Signed -- Protocol Conveying 451 Configuration |Loc. |Loc. -- Location (e.g. SIP) 452 Protocol |(a) |(b) -- (c) 453 | v -- 454 +-+-------+-+ -- 455 | Target / | -- 456 | End Host + 457 | | 458 +-----------+ 460 Figure 1: Location Signing 462 A straw-man proposal for location signing is provided in "Digital 463 Signature Methods for Location Dependability" [I-D.thomson-geopriv- 464 location-dependability]. Note that since this document is no longer 465 under development, location signing cannot be considered deployable 466 at the time of this writing. 468 In order to limit replay attacks, this document proposes the addition 469 of a "validity" element to the PIDF-LO, including a "from" sub- 470 element containing the time that location information was validated 471 by the signer, as well as an "until" sub-element containing the last 472 time that the signature can be considered valid. 474 One of the consequences of including an "until" element is that even 475 a stationary target would need to periodically obtain a fresh PIDF- 476 LO, or incur the additional delay of querying during an emergency 477 call. 479 Although privacy-preserving procedures may be disabled for emergency 480 calls, by design, PIDF-LO objects limit the information available for 481 real-time attribution. As noted in [RFC5985] Section 6.6: 483 The LIS MUST NOT include any means of identifying the Device in 484 the PIDF-LO unless it is able to verify that the identifier is 485 correct and inclusion of identity is expressly permitted by a Rule 486 Maker. Therefore, PIDF parameters that contain identity are 487 either omitted or contain unlinked pseudonyms [RFC3693]. A 488 unique, unlinked presentity URI SHOULD be generated by the LIS for 489 the mandatory presence "entity" attribute of the PIDF document. 490 Optional parameters such as the "contact" and "deviceID" elements 491 [RFC4479] are not used. 493 Also, the device referred to in the PIDF-LO may not necessarily be 494 the same entity conveying the PIDF-LO to the PSAP. As noted in 495 [RFC6442] Section 1: 497 In no way does this document assume that the SIP user agent client 498 that sends a request containing a location object is necessarily 499 the Target. The location of a Target conveyed within SIP 500 typically corresponds to that of a device controlled by the 501 Target, for example, a mobile phone, but such devices can be 502 separated from their owners, and moreover, in some cases, the user 503 agent may not know its own location. 505 Without the ability to tie the target identity to the identity 506 asserted in the SIP message, it is possible for an attacker to cut 507 and paste a PIDF-LO obtained by a different device or user into a SIP 508 INVITE and send this to the PSAP. This cut and paste attack could 509 succeed even when a PIDF-LO is signed, or [RFC4474] is implemented. 511 To address location-spoofing attacks, [I-D.thomson-geopriv-location- 512 dependability] proposes addition of an "identity" element which could 513 include a SIP URI (enabling comparison against the identity asserted 514 in the SIP headers) or an X.509v3 certificate. If the target was 515 authenticated by the LIS, an "authenticated" attribute is added. 516 However, inclusion of an "identity" attribute could enable location 517 tracking, so that a "hash" element is also proposed which could 518 contain a hash of the content of the "identity" element instead. In 519 practice, such a hash would not be much better for real-time 520 validation than a pseudonym. 522 Location signing cannot deter attacks in which valid location 523 information is provided. For example, an attacker in control of 524 compromised hosts could launch a denial-of-service attack on the PSAP 525 by initiating a large number of emergency calls, each containing 526 valid signed location information. Since the work required to verify 527 the location signature is considerable, this could overwhelm the PSAP 528 infrastructure. 530 However, while DDOS attacks are unlikely to be deterred by location 531 signing, accurate location information would limit the subset of 532 compromised hosts that could be used for an attack, as only hosts 533 within the PSAP serving area would be useful in placing emergency 534 calls. 536 Location signing is also difficult when the host obtains location via 537 mechanisms such as GPS, unless trusted computing approaches, with 538 tamper-proof GPS modules, can be applied. Otherwise, an end host can 539 pretend to have a GPS device, and the recipient will need to rely on 540 its ability to assess the level of trust that should be placed in the 541 end host location claim. 543 Even though location signing mechanisms have not been standardized, 544 [NENA-i2] Section 3.7 includes operational recommendations relating 545 to location signing: 547 Location determination is out of scope for NENA, but we can offer 548 guidance on what should be considered when designing mechanisms to 549 report location: 551 1. The location object should be digitally signed. 553 2. The certificate for the signer (LIS operator) should be 554 rooted in VESA. For this purpose, VPC and ERDB operators 555 should issue certs to LIS operators. 557 3. The signature should include a timestamp. 559 4. Where possible, the Location Object should be refreshed 560 periodically, with the signature (and thus the timestamp) 561 being refreshed as a consequence. 563 5. Anti-spoofing mechanisms should be applied to the Location 564 Reporting method. 566 [Note: The term Valid Emergency Services Authority (VESA) refers 567 to the root certificate authority. VPC stands for VoIP 568 Positioning Center and ERDB stands for the Emergency Service Zone 569 Routing Database.] 571 As noted above, signing of location objects implies the development 572 of a trust hierarchy that would enable a certificate chain provided 573 by the LIS operator to be verified by the PSAP. Rooting the trust 574 hierarchy in VESA can be accomplished either by having the VESA 575 directly sign the LIS certificates, or by the creation of 576 intermediate Certificate Authorities (CAs) certified by the VESA, 577 which will then issue certificates to the LIS. In terms of the 578 workload imposed on the VESA, the latter approach is highly 579 preferable. However, this raises the question of who would operate 580 the intermediate CAs and what the expectations would be. 582 In particular, the question arises as to the requirements for LIS 583 certificate issuance, and how they would compare to requirements for 584 issuance of other certificates such as an SSL/TLS web certificate. 586 3.2. Location by Reference 588 Location-by-reference was developed so that end hosts can avoid 589 having to periodically query the location server for up-to-date 590 location information in a mobile environment. Additionally, if 591 operators do not want to disclose location information to the end 592 host without charging them, location-by-reference provides a 593 reasonable alternative. Also, since location-by-reference enables 594 the PSAP to directly contact the location server, it avoids potential 595 attacks by intermediaries. As noted in "A Location Dereference 596 Protocol Using HTTP-Enabled Location Delivery (HELD)" [RFC6753], a 597 location reference can be obtained via HTTP-Enabled Location Delivery 598 (HELD) [RFC5985]. 600 Figure 2 shows the communication model with the target requesting a 601 location reference in step (a), the location server returns the 602 reference in step (b), and it is then conveyed to the location 603 recipient in step (c). The location recipient needs to resolve the 604 reference with a request in step (d). Finally, location information 605 is returned to the Location Recipient afterwards. For location 606 conveyance in SIP, the procedures described in [RFC6442] are 607 applicable. 609 +-----------+ Geopriv +-----------+ 610 | | Location | Location | 611 | LIS +<------------->+ Recipient | 612 | | Dereferencing | | 613 +-+-------+-+ Protocol (d) +----+------+ 614 ^ | --^ 615 | | -- 616 Geopriv |Req. | -- 617 Location |LbyR |LbyR -- Protocol Conveying 618 Configuration |(a) |(b) -- Location (e.g. SIP) 619 Protocol | | -- (c) 620 | V -- 621 +-+-------+-+ -- 622 | Target / | -- 623 | End Host + 624 | | 625 +-----------+ 627 Figure 2: Location by Reference 629 Where location by reference is provided, the recipient needs to 630 deference the LbyR in order to obtain location. The details for the 631 dereferencing operations vary with the type of reference, such as a 632 HTTP, HTTPS, SIP, SIPS URI or a SIP presence URI. 634 For location-by-reference, the location server needs to maintain one 635 or several URIs for each target, timing out these URIs after a 636 certain amount of time. References need to expire to prevent the 637 recipient of such a Uniform Resource Locator (URL) from being able to 638 permanently track a host and to offer garbage collection 639 functionality for the location server. 641 Off-path adversaries must be prevented from obtaining the target's 642 location. The reference contains a randomized component that 643 prevents third parties from guessing it. When the location recipient 644 fetches up-to-date location information from the location server, it 645 can also be assured that the location information is fresh and not 646 replayed. However, this does not address location theft. 648 With respect to the security of the de-reference operation, [RFC6753] 649 Section 6 states: 651 TLS MUST be used for dereferencing location URIs unless 652 confidentiality and integrity are provided by some other 653 mechanism, as discussed in Section 3. Location Recipients MUST 654 authenticate the host identity using the domain name included in 655 the location URI, using the procedure described in Section 3.1 of 656 [RFC2818]. Local policy determines what a Location Recipient does 657 if authentication fails or cannot be attempted. 659 The authorization by possession model (Section 4.1) further relies 660 on TLS when transmitting the location URI to protect the secrecy 661 of the URI. Possession of such a URI implies the same privacy 662 considerations as possession of the PIDF-LO document that the URI 663 references. 665 Location URIs MUST only be disclosed to authorized Location 666 Recipients. The GEOPRIV architecture [RFC6280] designates the 667 Rule Maker to authorize disclosure of the URI. 669 Protection of the location URI is necessary, since the policy 670 attached to such a location URI permits anyone who has the URI to 671 view the associated location information. This aspect of security 672 is covered in more detail in the specification of location 673 conveyance protocols, such as [RFC6442]. 675 For authorizing access to location-by-reference, two authorization 676 models were developed: "Authorization by Possession" and 677 "Authorization via Access Control Lists". With respect to 678 "Authorization by Possession" [RFC6753] Section 4.1 notes: 680 In this model, possession -- or knowledge -- of the location URI 681 is used to control access to location information. A location URI 682 might be constructed such that it is hard to guess (see C8 of 683 [RFC5808]), and the set of entities that it is disclosed to can be 684 limited. The only authentication this would require by the LS is 685 evidence of possession of the URI. The LS could immediately 686 authorize any request that indicates this URI. 688 Authorization by possession does not require direct interaction 689 with Rule Maker; it is assumed that the Rule Maker is able to 690 exert control over the distribution of the location URI. 691 Therefore, the LIS can operate with limited policy input from a 692 Rule Maker. 694 Limited disclosure is an important aspect of this authorization 695 model. The location URI is a secret; therefore, ensuring that 696 adversaries are not able to acquire this information is paramount. 697 Encryption, such as might be offered by TLS [RFC5246] or S/MIME 698 [RFC5751], protects the information from eavesdroppers. 700 Using possession as a basis for authorization means that, once 701 granted, authorization cannot be easily revoked. Cancellation of 702 a location URI ensures that legitimate users are also affected; 703 application of additional policy is theoretically possible but 704 could be technically infeasible. Expiration of location URIs 705 limits the usable time for a location URI, requiring that an 706 attacker continue to learn new location URIs to retain access to 707 current location information. 709 In situations where "Authorization by Possession" is not suitable 710 (such as where location hiding [RFC6444] is required), the 711 "Authorization via Access Control Lists" model may be preferred. 713 Without the introduction of hierarchy, it would be necessary for the 714 PSAP to obtain client certificates or Digest credentials for all the 715 LISes in its coverage area, to enable it to successfully dereference 716 LbyRs. In situations with more than a few LISes per PSAP, this would 717 present operational challenges. 719 A certificate hierarchy providing PSAPs with client certificates 720 chaining to the VESA could be used to enable the LIS to authenticate 721 and authorize PSAPs for dereferencing. Note that unlike PIDF-LO 722 signing (which mitigates against modification of PIDF-LOs), this 723 merely provides the PSAP with access to a (potentially unsigned) 724 PIDF-LO, albeit over a protected TLS channel. 726 Another approach would be for the local LIS to upload location 727 information to a location aggregation point who would in turn manage 728 the relationships with the PSAP. This would shift the management 729 burden from the PSAPs to the location aggregation points. 731 3.3. Proxy Adding Location 733 Instead of relying upon the end host to provide location, is possible 734 for a proxy that has the ability to determine the location of the end 735 point (e.g., based on the end host IP or MAC address) to retrieve and 736 add or override location information. 738 The use of proxy-added location is primarily applicable in scenarios 739 where the end host does not provide location. As noted in [RFC6442] 740 Section 4.1: 742 A SIP intermediary SHOULD NOT add location to a SIP request that 743 already contains location. This will quite often lead to 744 confusion within LRs. However, if a SIP intermediary adds 745 location, even if location was not previously present in a SIP 746 request, that SIP intermediary is fully responsible for addressing 747 the concerns of any 424 (Bad Location Information) SIP response it 748 receives about this location addition and MUST NOT pass on 749 (upstream) the 424 response. A SIP intermediary that adds a 750 locationValue MUST position the new locationValue as the last 751 locationValue within the Geolocation header field of the SIP 752 request. 754 A SIP intermediary MAY add a Geolocation header field if one is 755 not present -- for example, when a user agent does not support the 756 Geolocation mechanism but their outbound proxy does and knows the 757 Target's location, or any of a number of other use cases (see 758 Section 3). 760 As noted in [RFC6442] Section 3.3: 762 This document takes a "you break it, you bought it" approach to 763 dealing with second locations placed into a SIP request by an 764 intermediary entity. That entity becomes completely responsible 765 for all location within that SIP request (more on this in Section 766 4). 768 While it is possible for the proxy to override location included by 769 the end host, [RFC6442] Section 3.4 notes the operational 770 limitations: 772 Overriding location information provided by the user requires a 773 deployment where an intermediary necessarily knows better than an 774 end user -- after all, it could be that Alice has an on-board GPS, 775 and the SIP intermediary only knows her nearest cell tower. Which 776 is more accurate location information? Currently, there is no way 777 to tell which entity is more accurate or which is wrong, for that 778 matter. This document will not specify how to indicate which 779 location is more accurate than another. 781 The disadvantage of this approach is the need to deploy application 782 layer entities, such as SIP proxies, at IAPs or associated with IAPs. 783 This requires a standardized VoIP profile to be deployed at every end 784 device and at every IAP. This might impose interoperability 785 challenges. 787 Additionally, the IAP needs to take responsibility for emergency 788 calls, even for customers they have no direct or indirect 789 relationship with. To provide identity information about the 790 emergency caller from the VSP it would be necessary to let the IAP 791 and the VSP to interact for authentication (see, for example, 792 "Diameter Session Initiation Protocol (SIP) Application" [RFC4740]). 793 This interaction along the Authentication, Authorization and 794 Accounting infrastructure is often based on business relationships 795 between the involved entities. An arbitrary IAP and VSP are unlikely 796 to have a business relationship. In case the interaction between the 797 IAP and the VSP fails due to the lack of a business relationship then 798 typically a fall-back would be provided where no emergency caller 799 identity information is made available to the PSAP and the emergency 800 call still has to be completed. 802 4. Location Trust Assessment 804 The ability to assess the level of trustworthiness of conveyed 805 location information is important, since this makes it possible to 806 understand how much value should be placed on location information, 807 as part of the decision making process. As an example, if automated 808 location information is understood to be highly suspect or is absent, 809 a call taker can put more effort into verifying the authenticity of 810 the call and to obtaining location information from the caller. 812 Location trust assessment has value regardless of whether the 813 location itself is authenticated (e.g. signed location) or is 814 obtained directly from the location server (e.g. location-by- 815 reference) over security transport, since these mechanisms do not 816 provide assurance of the validity or provenance of location data. 818 To prevent location-theft attacks, the "entity" element of the PIDF- 819 LO is of limited value if an unlinked pseudonym is provided in this 820 field. However, if the LIS authenticates the target, then the 821 linkage between the pseudonym and the target identity can be 822 recovered in a post-incident investigation. 824 As noted in [I.D.thomson-geopriv-location-dependability], if the 825 location object was signed, the location recipient has additional 826 information on which to base their trust assessment, such as the 827 validity of the signature, the identity of the target, the identity 828 of the LIS, whether the LIS authenticated the target, and the 829 identifier included in the "entity" field. 831 Caller accountability is also an important aspect of trust 832 assessment. Can the individual purchasing the device or activating 833 service be identified or did the call originate from a non-service 834 initialized (NSI) device whose owner cannot be determined? Prior to 835 the call, was the caller authenticated at the network or application 836 layer? In the event of a hoax call, can audit logs be made available 837 to an investigator, or can information relating to the owner of an 838 unlinked pseudonym be provided, enabling investigators to unravel the 839 chain of events that lead to the attack? 841 In practice, the source of the location data is important for 842 location trust assessment. For example, location provided by a 843 Location Information Server (LIS) whose administrator has an 844 established history of meeting emergency location accuracy 845 requirements (e.g. Phase II) may be considered more reliable than 846 location information provided by a third party Location Service 847 Provider (LSP) that disclaims use of location information for 848 emergency purposes. 850 However, even where an LSP does not attempt to meet the accuracy 851 requirements for emergency location, it still may be able to provide 852 information useful in assessing about how reliable location 853 information is likely to be. For example, was location determined 854 based on the nearest cell tower or 802.11 Access Point (AP), or was a 855 triangulation method used? If based on cell tower or AP location 856 data, was the information obtained from an authoritative source (e.g. 857 the tower or AP owner) and when was the last time that the location 858 of the tower or access point was verified? 860 For real-time validation, information in the signaling and media 861 packets can be cross checked against location information. For 862 example, it may be possible to determine the city, state, country or 863 continent associated with the IP address included within SIP Via: or 864 Contact: headers, or the media source address, and compare this 865 against the location information reported by the caller or conveyed 866 in the PIDF-LO. However, in some situations only entities close to 867 the caller may be able to verify the correctness of location 868 information. 870 Real-time validation of the timestamp contained within PIDF-LO 871 objects (reflecting the time at which the location was determined) is 872 also challenging. To address time-shifting attacks, the "timestamp" 873 element of the PIDF-LO, defined in [RFC3863], can be examined and 874 compared against timestamps included within the enclosing SIP 875 message, to determine whether the location data is sufficiently 876 fresh. However, the timestamp only represents an assertion by the 877 LIS, which may or may not be trustworthy. For example, the recipient 878 of the signed PIDF-LO may not know whether the LIS supports time 879 synchronization, or whether it is possible to reset the LIS clock 880 manually without detection. Even if the timestamp was valid at the 881 time location was determined, a time period may elapse between when 882 the PIDF-LO was provided and when it is conveyed to the recipient. 883 Periodically refreshing location information to renew the timestamp 884 even though the location information itself is unchanged puts 885 additional load on LISes. As a result, recipients need to validate 886 the timestamp in order to determine whether it is credible. 888 While this document focuses on the discussion of real-time 889 determination of suspicious emergency calls, the use of audit logs 890 may help in enforcing accountability among emergency callers. For 891 example, in the event of a hoax call, information relating to the 892 owner of the unlinked pseudonym could be provided to investigators, 893 enabling them to unravel the chain of events that lead to the attack. 894 However, while auditability is an important deterrent, it is likely 895 to be of most benefit in situations where attacks on the emergency 896 services system are likely to be relatively infrequent, since the 897 resources required to pursue an investigation are likely to be 898 considerable. However, although real-time validation based on PIDF- 899 LO elements is challenging, where LIS audit logs are available (such 900 as where a law enforcement agency can present a subpoena), linking of 901 a pseudonym to the device obtaining location can be accomplished 902 during an investigation. 904 Where attacks are frequent and continuous, automated mechanisms are 905 required. For example, it might be valuable to develop mechanisms to 906 exchange audit trails information in a standardized format between 907 ISPs and PSAPs / VSPs and PSAPs or heuristics to distinguish 908 potentially fraudulent emergency calls from real emergencies. While 909 a Completely Automated Public Turing test to tell Computers and 910 Humans Apart (CAPTCHA) may be applied to suspicious calls to lower 911 the risk from bot-nets, this is quite controversial for emergency 912 services, due to the risk of delaying or rejecting valid calls. 914 5. Security Considerations 916 It should be understood that mounting the attacks described in 917 Section 2 is non-trivial. Location theft requires the attacker to be 918 in proximity to the location being spoofed, or to either collude with 919 another end host or gain control of an end host so as to obtain its 920 location. Time shifting attacks require that the attacker visit the 921 location and submit it before the location information is considered 922 stale, while travelling rapidly away from that location to avoid 923 apprehension. Obtaining a PIDF-LO from a spoofed IP address requires 924 that the attacker be on the path between the HELD requester and the 925 LIS. 927 Although it is important to ensure that location information cannot 928 be faked, it should be understood that the mitigation techniques 929 presented in this document are not universally applicable. For 930 example, there will be many GPS-enabled devices that will find it 931 difficult to utilize any of the solutions described in Section 3. It 932 is also unlikely that users will be willing to upload their location 933 information for "verification" to a nearby location server located in 934 the access network. 936 While this document focuses on threats that arise from conveyance of 937 misleading location information, rather than caller identification or 938 authentication and integrity protection of the messages in which 939 location is conveyed. Nevertheless, it should be understood that 940 these aspects are important. 942 In some countries, regulators may not require the authenticated 943 identity of the emergency caller (e.g. emergency calls placed from 944 PSTN pay phones or SIM-less cell phones). Furthermore, if identities 945 can easily be crafted (as it is the case with many VoIP offerings 946 today), then the value of emergency caller authentication itself 947 might be limited. As a result, attackers can forge emergency call 948 information with a lower risk of being held accountable, and this 949 appears to be correlated with an increase in hoax calls. 951 In order to provide authentication and integrity protection for the 952 Session Initiation Protocol (SIP) messages conveying location, 953 several security approaches are available. It is possible to ensure 954 that modification of the identity and location in transit can be 955 detected by the location recipient (e.g., the PSAP), using 956 cryptographic mechanisms, as described in "Enhancements for 957 Authenticated Identity Management in the Session Initiation Protocol" 958 [RFC4474]. However, compatibility with Session Border Controllers 959 (SBCs) that modify integrity-protected headers has proven to be an 960 issue in practice, and as a result, a revision is in progress 961 [I.D.jennings-stir-rfc4474bis]. In the absence of an end-to-end 962 solution, SIP over Transport Layer Security (TLS) can be used to 963 provide message authentication and integrity protection hop-by-hop. 965 It should also be understood that even where the mitigation 966 techniques described in this document are utilized, PSAPs remain 967 vulnerable to distributed denial of service attacks. Placing a large 968 number of emergency calls that appear to come from different 969 locations is an example of an attack that is difficult to carry out 970 within legacy system, but is easier to imagine within IP-based 971 emergency services. Also, in the current system, it would be very 972 difficult for an attacker from country 'Foo' to attack the emergency 973 services infrastructure located in country 'Bar', but this attack is 974 possible within IP-based emergency services. 976 Emergency services have three finite resources subject to denial of 977 service attacks: the network and server infrastructure, call takers 978 and dispatchers, and the first responders, such as fire fighters and 979 police officers. Protecting the network infrastructure is similar to 980 protecting other high-value service providers, except that location 981 information may be used to filter call setup requests, to weed out 982 requests that are out of area. Even for large cities PSAPs may only 983 have a handful of call takers on duty. So even if automated 984 techniques are utilized to evaluate the trustworthiness of conveyed 985 location and call takers can, by questioning the caller, eliminate 986 many hoax calls, PSAPs can be overwhelmed even by a small-scale 987 attack. Finally, first responder resources are scarce, particularly 988 during mass-casualty events. 990 6. IANA Considerations 992 This document does not require actions by IANA. 994 7. References 996 7.1. Informative References 998 [I-D.ietf-stir-problem-statement] 999 Peterson, J., Schulzrinne, H., and H. Tschofenig, "Secure 1000 Telephone Identity Problem Statement", Internet draft (work in 1001 progress), draft-ietf-stir-problem-statement-05.txt, May 2014. 1003 [I-D.ietf-stir-threats] 1004 Peterson, J., "Secure Telephone Identity Threat Model", 1005 Internet draft (work in progress), draft-ietf-stir- 1006 threats-02.txt, February 2014. 1008 [I-D.jennings-stir-rfc4474bis] 1009 Peterson, J., Jennings, C. and E. Rescorla, "Authenticated 1010 Identity Management in the Session Initiation Protocol (SIP)", 1011 Internet draft (work in progress), draft-jennings-stir- 1012 rfc4474bis-01.txt, February 2014. 1014 [I-D.thomson-geopriv-location-dependability] 1015 Thomson, M. and J. Winterbottom, "Digital Signature Methods 1016 for Location Dependability", Internet draft (work in 1017 progress), draft-thomson-geopriv-location- 1018 dependability-07.txt, March 2011. 1020 [EENA] EENA, "False Emergency Calls", EENA Operations Document, 1021 Version 1.1, May 2011, http://www.eena.org/ressource/static/ 1022 files/2012_05_04-3.1.2.fc_v1.1.pdf 1024 [GPSCounter] 1025 Warner, J. S. and R. G. Johnston, "GPS Spoofing 1026 Countermeasures", Los Alamos research paper LAUR-03-6163, 1027 December 2003. 1029 [NENA-i2] "08-001 NENA Interim VoIP Architecture for Enhanced 9-1-1 1030 Services (i2)", December 2005. 1032 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1033 Requirement Levels", BCP 14, RFC 2119, March 1997. 1035 [RFC2818] Rescorla, E., "HTTP over TLS", RFC 2818, May 2000. 1037 [RFC3693] Cuellar, J., Morris, J., Mulligan, D., Peterson, J., and J. 1038 Polk, "Geopriv Requirements", RFC 3693, February 2004. 1040 [RFC3694] Danley, M., Mulligan, D., Morris, J. and J. Peterson, "Threat 1041 Analysis of the Geopriv Protocol", RFC 3694, February 2004. 1043 [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. 1044 Levkowetz, "Extensible Authentication Protocol (EAP)", RFC 1045 3748, June 2004. 1047 [RFC3863] Sugano, H., Fujimoto, S., Klyne, G., Bateman, A., Carr, W. and 1048 J. Peterson, "Presence Information Data Format (PIDF)", RFC 1049 3863, August 2004. 1051 [RFC4474] Peterson, J. and C. Jennings, "Enhancements for Authenticated 1052 Identity Management in the Session Initiation Protocol (SIP)", 1053 RFC 4474, August 2006. 1055 [RFC4479] Rosenberg, J., "A Data Model for Presence", RFC 4479, July 1056 2006. 1058 [RFC4740] Garcia-Martin, M., Belinchon, M., Pallares-Lopez, M., Canales- 1059 Valenzuela, C., and K. Tammi, "Diameter Session Initiation 1060 Protocol (SIP) Application", RFC 4740, November 2006. 1062 [RFC5012] Schulzrinne, H. and R. Marshall, "Requirements for Emergency 1063 Context Resolution with Internet Technologies", RFC 5012, 1064 January 2008. 1066 [RFC5069] Taylor, T., Tschofenig, H., Schulzrinne, H. and M. Shanmugam, 1067 "Security Threats and Requirements for Emergency Call Marking 1068 and Mapping", RFC 5069, January 2008. 1070 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Level Security 1071 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 1073 [RFC5491] Winterbottom, J., Thomson, M. and H. Tschofenig, "GEOPRIV 1074 Presence Information Data Format Location Object (PIDF-LO) 1075 Usage Clarification, Considerations, and Recommendations", RFC 1076 5491, March 2009. 1078 [RFC5751] Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet Mail 1079 Extensions (S/MIME) Version 3.2 Message Specification", RFC 1080 5751, January 2010. 1082 [RFC5808] Marshall, R., "Requirements for a Location-by-Reference 1083 Mechanism", RFC 5808, May 2010. 1085 [RFC5985] Barnes, M., "HTTP Enabled Location Delivery (HELD)", RFC 5985, 1086 September 2010. 1088 [RFC6280] Barnes, R., et. al, "An Architecture for Location and Location 1089 Privacy in Internet Applications", RFC 6280, July 2011. 1091 [RFC6442] Polk, J., Rosen, B. and J. Peterson, "Location Conveyance for 1092 the Session Initiation Protocol", RFC 6442, December 2011. 1094 [RFC6443] Rosen, B., Schulzrinne, H., Polk, J., and A. Newton, 1095 "Framework for Emergency Calling Using Internet Multimedia", 1096 RFC 6443, December 2011. 1098 [RFC6444] Schulzrinne, H., Liess, L., Tschofenig, H., Stark, B., and A. 1099 Kuett, "Location Hiding: Problem Statement and Requirements", 1100 RFC 6444, January 2012. 1102 [RFC6753] Winterbottom, J., Tschofenig. H., Schulzrinne, H. and M. 1103 Thomson, "A Location Dereference Protocol Using HTTP-Enabled 1104 Location Delivery (HELD)", RFC 6753, October 2012. 1106 [RFC6881] Rosen, B. and J. Polk, "Best Current Practice for 1107 Communications Services in Support of Emergency Calling", BCP 1108 181, RFC 6881, March 2013. 1110 [RFC7090] Schulzrinne, H., Tschofenig, H., Holmberg, C. and M. Patel, 1111 "Public Safety Answering Point (PSAP) Callback", RFC 7090, 1112 April 2014. 1114 [SA] "Saudi Arabia - Illegal sale of SIMs blamed for surge in hoax 1115 calls", Arab News, May 4, 2010, 1116 http://www.menafn.com/qn_news_story_s.asp?StoryId=1093319384 1118 [STIR] IETF, "Secure Telephone Identity Revisited (stir) Working 1119 Group", http://datatracker.ietf.org/wg/stir/charter/, October 1120 2013. 1122 [Swatting] 1123 "Don't Make the Call: The New Phenomenon of 'Swatting', 1124 Federal Bureau of Investigation, February 4, 2008, 1125 http://www.fbi.gov/news/stories/2008/february/swatting020408 1127 [TASMANIA] 1128 "Emergency services seek SIM-less calls block", ABC News 1129 Online, August 18, 2006, 1130 http://www.abc.net.au/elections/tas/2006/news/stories/ 1131 1717956.htm?elections/tas/2006/ 1133 [UK] "Rapper makes thousands of prank 999 emergency calls to UK 1134 police", Digital Journal, June 24, 2010, 1135 http://www.digitaljournal.com/article/293796?tp=1 1137 Acknowledgments 1139 We would like to thank the members of the IETF ECRIT working group, 1140 including Marc Linsner and Brian Rosen, for their input at IETF 85 1141 that helped get this documented pointed in the right direction. We 1142 would also like to thank members of the IETF GEOPRIV WG, including 1143 Andrew Newton, Murugaraj Shanmugam, Martin Thomson, Richard Barnes 1144 and Matt Lepinski for their feedback to previous versions of this 1145 document. Thanks also to Pete Resnick, Adrian Farrel, Alissa Cooper, 1146 Bert Wijnen and Meral Shirazipour who provided review comments in 1147 IETF last call. 1149 Authors' Addresses 1151 Hannes Tschofenig 1152 ARM Ltd. 1153 110 Fulbourn Rd 1154 Cambridge CB1 9NJ 1155 Great Britain 1157 Email: Hannes.tschofenig@gmx.net 1158 URI: http://www.tschofenig.priv.at 1160 Henning Schulzrinne 1161 Columbia University 1162 Department of Computer Science 1163 450 Computer Science Building, New York, NY 10027 1164 US 1166 Phone: +1 212 939 7004 1167 Email: hgs@cs.columbia.edu 1168 URI: http://www.cs.columbia.edu 1170 Bernard Aboba 1171 Microsoft Corporation 1172 One Microsoft Way 1173 Redmond, WA 98052 1174 US 1176 Email: bernard_aboba@hotmail.com