1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
|
Internet Engineering Task Force (IETF) H. Schulzrinne
Request for Comments: 7406 Columbia University
Category: Informational S. McCann
ISSN: 2070-1721 BlackBerry Ltd
G. Bajko
MediaTek
H. Tschofenig
D. Kroeselberg
Siemens Corporate Technology
December 2014
Extensions to the Emergency Services Architecture for Dealing With
Unauthenticated and Unauthorized Devices
Abstract
This document provides a problem statement, introduces terminology,
and describes an extension for the base IETF emergency services
architecture to address cases where an emergency caller is not
authenticated, has no identifiable service provider, or has no
remaining credit with which to pay for access to the network.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7406.
Schulzrinne, et al. Informational [Page 1]
^L
RFC 7406 Unauthenticated Emergency Service December 2014
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Use-Case Categories . . . . . . . . . . . . . . . . . . . . . 5
4. ZBP Considerations . . . . . . . . . . . . . . . . . . . . . 12
5. NASP Considerations . . . . . . . . . . . . . . . . . . . . . 12
5.1. End-Host Profile . . . . . . . . . . . . . . . . . . . . 15
5.1.1. LoST Server Discovery . . . . . . . . . . . . . . . . 15
5.1.2. ESRP Discovery . . . . . . . . . . . . . . . . . . . 15
5.1.3. Location Determination and Location Configuration . . 15
5.1.4. Emergency Call Identification . . . . . . . . . . . . 15
5.1.5. SIP Emergency Call Signaling . . . . . . . . . . . . 15
5.1.6. Media . . . . . . . . . . . . . . . . . . . . . . . . 16
5.1.7. Testing . . . . . . . . . . . . . . . . . . . . . . . 16
5.2. IAP/ISP Profile . . . . . . . . . . . . . . . . . . . . . 16
5.2.1. ESRP Discovery . . . . . . . . . . . . . . . . . . . 16
5.2.2. Location Determination and Location Configuration . . 16
5.3. ESRP Profile . . . . . . . . . . . . . . . . . . . . . . 16
5.3.1. Emergency Call Routing . . . . . . . . . . . . . . . 16
5.3.2. Emergency Call Identification . . . . . . . . . . . . 16
5.3.3. SIP Emergency Call Signaling . . . . . . . . . . . . 17
6. Lower-Layer Considerations for NAA Case . . . . . . . . . . . 17
6.1. Link-Layer Emergency Indication . . . . . . . . . . . . . 18
6.2. Securing Network Attachment in NAA Cases . . . . . . . . 19
7. Security Considerations . . . . . . . . . . . . . . . . . . . 20
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 21
8.1. Normative References . . . . . . . . . . . . . . . . . . 21
8.2. Informative References . . . . . . . . . . . . . . . . . 22
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 24
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 25
Schulzrinne, et al. Informational [Page 2]
^L
RFC 7406 Unauthenticated Emergency Service December 2014
1. Introduction
Summoning police, the fire department, or an ambulance in emergencies
is one of the fundamental and most-valued functions of the telephone.
As telephony functionality moves from circuit-switched telephony to
Internet telephony, its users rightfully expect that this core
functionality will continue to work at least as well as it has for
the older technology. New devices and services are being made
available that could be used to make a request for help; those
devices are not traditional telephones, and users are increasingly
expecting them to be able to place emergency calls.
Roughly speaking, the IETF emergency services architecture (see
[RFC6881] and [RFC6443]) divides responsibility for handling
emergency calls among the access network (Internet Access Provider
(IAP) or ISP); the application service provider (ASP), which may be a
VoIP service provider (VSP); and the provider of emergency signaling
services, the emergency service network (ESN). The access network
may provide location information to end systems but does not have to
provide any ASP signaling functionality. The emergency caller can
reach the ESN either directly or through the ASP's outbound proxy.
Any of the three parties can provide the mapping from location to the
Public Safety Answering Point (PSAP) URI by offering Location-to-
Service Translation (LoST) [RFC5222] services.
In general, a set of automated configuration mechanisms allows a
device to function in a variety of architectures, without the user
being aware of the details on who provides location, mapping
services, or call-routing services. However, if emergency calling is
to be supported when the calling device lacks access network
authorization or does not have an ASP, one or more of the providers
may need to provide additional services and functions.
In all cases, the end device has to be able to perform a LoST lookup
and otherwise conduct the emergency call in the same manner as when
the three exceptional conditions discussed below do not apply.
Schulzrinne, et al. Informational [Page 3]
^L
RFC 7406 Unauthenticated Emergency Service December 2014
We distinguish among three conditions:
No Access Authentication (NAA): In the NAA case, the emergency
caller does not posses valid credentials for the access network.
This includes the case where the access network allows
pay-per-use, as is common for wireless hotspots, but there is
insufficient time to enter credit card details and other
registration information required for access. It also covers all
cases where either no credentials are available at all or the
available credentials do not work for the given IAP/ISP. As a
result, the NAA case basically combines the No ASP (NASP) and
zero-balance ASP (ZBP) cases below, but at the IAP/ISP level.
Support for emergency call handling in the NAA case is subject to
the local policy of the ISP. Such policy may vary substantially
between ISPs and typically depends on external factors that are
not under the ISP control.
No ASP (NASP): The caller does not have an ASP at the time of the
call. This can occur in case the caller either does not possess
any valid subscription for a reachable ASP or does possess a valid
subscription but none of the ASPs are reachable through the ISP.
Note: The interoperability need is increased with this scenario
since the client software used by the emergency caller must be
compatible with the protocols and extensions deployed by the ESN.
Zero-balance ASP (ZBP): In the case of a zero-balance ASP, the ASP
can authenticate the caller, but the caller is not authorized to
use ASP services, e.g., because the contract has expired or the
prepaid account for the customer has been depleted.
These three cases are not mutually exclusive. A caller in need of
help may, for example, be both in an NAA and NASP situation, as
explained in more detail in Figure 1. Depending on local policy and
regulations, it may not be possible to place emergency calls in the
NAA case. Unless local regulations require user identification, it
should always be possible to place calls in the NASP case, with
minimal impact on the ISP. Unless the ESN requires that all calls
traverse a known set of Voice Service Providers (VSPs), it is
technically possible to let a caller place an emergency call in the
ZBP case. We discuss each case in more detail in Section 3.
Some of the functionality provided in this document is already
available in the Public Switched Telephone Network (PSTN).
Consequently, there is real-world experience available and not all of
it is positive. For example, the functionality of calls without
Subscriber Identity Modules (SIMs) in today's cellular system has
lead to a fair amount of hoax or test calls in certain countries.
Schulzrinne, et al. Informational [Page 4]
^L
RFC 7406 Unauthenticated Emergency Service December 2014
This causes overload situations at PSAPs, which is considered harmful
to the overall availability and reliability of emergency services.
As an example, the Federal Office of Communications (OFCOM,
Switzerland) provided statistics about emergency (112) calls in
Switzerland from Jan. 1997 to Nov. 2001. Switzerland did not
offer SIM-less emergency calls except for almost a month in July
2000 where a significant increase in hoax and test calls was
reported. As a consequence, the functionality was disabled again.
More details can be found in the panel presentations of the 3rd
Standards Development Organization (SDO) Emergency Services
Workshop [esw07].
2. Terminology
In this document, the key words "MUST", "MUST NOT", "REQUIRED",
"SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
and "OPTIONAL" are to be interpreted as described in [RFC2119].
This document reuses terminology from [RFC5687] and [RFC5012], namely
Internet Access Provider (IAP), Internet Service Provider (ISP),
Application Service Provider (ASP), Voice Service Provider (VSP),
Emergency Service Routing Proxy (ESRP), Public Safety Answering Point
(PSAP), Location Configuration Server (LCS), (emergency) service dial
string, and (emergency) service identifier.
3. Use-Case Categories
An end host needs to perform the following steps if it is not
attached to the network and the user is starting to place an
emergency call:
Link-Layer Attachment: Some networks have added support for
unauthenticated emergency access while others have advertised
these capabilities using layer beacons (multicast or broadcast
announcements). The end host learns about these unauthenticated
emergency services capabilities from either the link layer type or
advertisement.
The end host uses the link-layer-specific network attachment
procedures defined for unauthenticated network access in order to
get access to the network.
Schulzrinne, et al. Informational [Page 5]
^L
RFC 7406 Unauthenticated Emergency Service December 2014
Pre-emergency Service Configuration: When the link-layer network
attachment procedure is completed, the end host learns basic
configuration information using DHCP from the ISP. The end host
uses a Location Configuration Protocol (LCP) to retrieve location
information. Subsequently, the LoST protocol [RFC5222] is used to
learn the relevant emergency numbers and to obtain the PSAP URI
applicable for that location.
Emergency Call: In case of the need for help, a user dials an
emergency number and the SIP User Agent (UA) initiates the
emergency call procedures by communicating with the PSAP.
Figure 1 compiles the basic logic taking place during network entry
for requesting an emergency service and shows the interrelation
between the three conditions described earlier.
+-----Y
|Start|
`...../
|
| Are credentials
| for network attachment
| available?
|
NO v YES
+----------------------------+
| |
| |
V v
.............. ................
| Idle: Wait | |Execute |
| for ES Call| |LLA Procedures|
| Initiation | "--------------'
"------------' |
Is | +---------->O
emergency | | | Is ASP
service | NO +-----Y | | configured?
network +--->| End | | +---------------+
attachment| `...../ | YES | | NO
possible? | | | |
v | v v
Schulzrinne, et al. Informational [Page 6]
^L
RFC 7406 Unauthenticated Emergency Service December 2014
+------------+ | +------------+ +------------+
| Execute | | | Execute | | Execute |
| NAA |--------+ | Phone BCP | | NASP |
| Procedures | | Procedures | | Procedures |
+------------+ +------------+ +------------+
Authorization for| |
making an | |
emergency call | |
with the ASP/VSP?| |
+--------------+ v
| NO | YES +-----Y
| | | Done|
v v `...../
+------------+ +------------+
| Execute | | Execute |
| ZBP | | Phone BCP |
| Procedures | | Procedures |
+------------+ +------------+
| |
| |
v v
+-----Y +-----Y
| Done| | Done|
`...../ `...../
Abbreviations:
LLA: Link-Layer Attachment
ES: Emergency Services
Figure 1: Flow Diagram: NAA, ZBP, and NSAP Scenarios
Schulzrinne, et al. Informational [Page 7]
^L
RFC 7406 Unauthenticated Emergency Service December 2014
The diagrams below highlight the most important steps for the three
cases.
+-----Y
|Start|
`...../
|
| No
| credentials
| for network access
| available
v
..............
| Idle: Wait |
| for ES Call|
| Initiation |
"------------'
|
|
|
v
--
// --
/ --
// Is --
/ emergency --
| service | NO +--------+
| network |------>| Call |
| attachment | Failed |
\ possible? / `......../
\ //
\\ //
\ //
\--/
|
| YES
|
|
v
+------------+
| Execute |
| NAA |
| Procedures |
+------------+
Schulzrinne, et al. Informational [Page 8]
^L
RFC 7406 Unauthenticated Emergency Service December 2014
|
| Network
| attachment
| in progress
v
/--\ Continue
| | with
| | application-layer
\--/ interaction
Figure 2: Flow Diagram: NAA Scenario
+-----+
+------------|Start|-----------------+
| `...../ |
v v
+------------+ +----------------+
| NAA | | Regular |
| Procedures | | Network Access |
+------------+ | Procedures |
| +----------------+
| |
| |
----------------o--------------------+
|
|
|
|
Network
Attachment
Completed
|
|
|
|
v
Schulzrinne, et al. Informational [Page 9]
^L
RFC 7406 Unauthenticated Emergency Service December 2014
+------------+ +---------+
| ASP | NO | See |
| Configured?|----->| main |
+------------+ | diagram |
| `........./
|
| YES
|
v
//----
/ --
// --
/ - +---------+
| Authorization| YES | See |
| for making |------>| main |
| ES call | | diagram |
\ with / `........./
\ VSP/ASP? //
\\ //
\ //
\--/
|
| NO
|
|
v
+------------+
| Execute |
| ZBP |
| Procedures |
+------------+
|
| Call
| in progress
|
v
+--------+
| Call |
Success|
`......../
Figure 3: Flow Diagram: ZBP Scenario
Schulzrinne, et al. Informational [Page 10]
^L
RFC 7406 Unauthenticated Emergency Service December 2014
+-----+
+------------|Start|-----------------+
| `...../ |
v v
+------------+ +----------------+
| NAA | | Regular |
| Procedures | | Network Access |
+------------+ | Procedures |
| +----------------+
| |
| |
----------------o--------------------+
|
|
|
|
Network
Attachment
Completed
|
|
|
|
v
+------------+ +---------+
| ASP | YES | See |
| Configured?|----->| main |
+------------+ | diagram |
| `........./
|
| NO
|
v
+------------+
| Execute |
| NASP |
| Procedures |
+------------+
|
| Call
| in progress
|
v
+--------+
| Call |
| Success|
`......../
Figure 4: Flow Diagram: NASP Scenario
Schulzrinne, et al. Informational [Page 11]
^L
RFC 7406 Unauthenticated Emergency Service December 2014
The NAA procedures are described in Section 6. The ZBP procedures
are described in Section 4. The NASP procedures are described in
Section 5. The Phone BCP procedures are described in [RFC6881]. The
LLA procedures are not described in this document since they are
specific to the link-layer technology in use.
4. ZBP Considerations
ZBP includes all cases where a subscriber is known to an ASP but
lacks the necessary authorization to access regular ASP services.
Example ZBP cases include empty prepaid accounts, barred accounts,
roaming and mobility restrictions, or any other conditions set by ASP
policy.
Local regulation might demand that emergency calls cannot proceed
without successful service authorization. In some regulatory
regimes, however, it may be possible to allow emergency calls to
continue despite authorization failures. To distinguish an emergency
call from a regular call, an ASP can identify emergency sessions by
inspecting the service URN [RFC5031] used in call setup. The ZBP
case, therefore, only affects the ASP.
Permitting a call despite authorization failures could present an
opportunity for abuse. The ASP may choose to verify the destination
of the emergency calls and to only permit calls to certain,
preconfigured entities (e.g., to local PSAPs). Section 7 discusses
this topic in more detail.
An ASP without a regulatory requirement to authorize emergency calls
can deny emergency call setup. Where an ASP does not authorize an
emergency call, the caller may be able to fall back to NASP
procedures.
5. NASP Considerations
To start the description, we consider the sequence of steps that are
executed in an emergency call based on Figure 5.
o As an initial step, the devices attach to the network as shown in
step (1). This step is outside the scope of this section.
o When the link-layer network attachment procedure is completed, the
end host learns basic IP configuration information using DHCP from
the ISP, as shown in step (2).
Schulzrinne, et al. Informational [Page 12]
^L
RFC 7406 Unauthenticated Emergency Service December 2014
o When the end host has configured the IP address, it starts an
interaction with the discovered LCS at the ISP, as shown in step
(3). In certain deployments, the ISP may need to interact with
the IAP. This protocol exchange is shown in step (4).
o Once location information is obtained, the end host triggers the
LoST protocol to obtain the address of the ESRP/PSAP. This is
shown in step (5).
o In step (6), the SIP UA initiates a SIP INVITE request towards the
indicated ESRP. The INVITE message contains all the necessary
parameters required by Section 5.1.5.
o The ESRP receives the INVITE and processes it according to the
description in Section 5.3.3.
o The ESRP routes the call to the PSAP, as shown in step (8),
potentially interacting with a LoST server first to determine the
route.
o The PSAP evaluates the initial INVITE and aims to complete the
call setup.
o Finally, when the call setup is completed, media traffic can be
exchanged between the PSAP and the SIP UA.
For brevity, the end-to-end SIP and media exchange between the PSAP
and SIP UA are not shown in Figure 5.
Schulzrinne, et al. Informational [Page 13]
^L
RFC 7406 Unauthenticated Emergency Service December 2014
+-------+
| PSAP |
| |
+-------+
^
| (8)
|
+----------+(7) +----------+
| LoST |<-->| ESRP |
| Server | | |
+----------+ +----------+
^ ^
+----------------+----------------|--------------+
| ISP | | |
|+----------+ | | +----------+|
|| LCS-ISP | (3)| | | DHCP ||
|| |<-+ | | | Server ||
|+----------+ | | | +----------+|
+-------^------+-+----------------|-----------^--+
+-------|------+-+----------------|-----------|--+
| IAP | (4) | |(5) | | |
| V | | | | |
|+----------+ | | | | |
|| LCS-IAP | | | +--------+ | | |
|| | | | | Link- | |(6) | |
|+----------+ | | | Layer | | | |
| | | | Device | | (2)| |
| | | +--------+ | | |
| | | ^ | | |
| | | | | | |
+--------------+-|-------|--------|-----------|--+
| | | | |
| | (1)| | |
| | | | |
| | | +----+ |
| | v | |
| | +----------+ |
| +->| End |<-------------+
+___>| Host |
+----------+
Figure 5: Architectural Overview
Note: Figure 5 does not indicate who operates the ESRP and the LoST
server. Various deployment options exist.
Schulzrinne, et al. Informational [Page 14]
^L
RFC 7406 Unauthenticated Emergency Service December 2014
5.1. End-Host Profile
5.1.1. LoST Server Discovery
The end host MUST discover a LoST server [RFC5222] using DHCP
[RFC5223] unless a LoST server has been provisioned using other
means.
5.1.2. ESRP Discovery
The end host MUST discover the ESRP using the LoST protocol [RFC5222]
unless a ESRP has been provisioned using other means.
5.1.3. Location Determination and Location Configuration
The end host MUST support location acquisition and the LCPs described
in Section 6.5 of [RFC6881]. The description in Sections 6.5 and 6.6
of [RFC6881] regarding the interaction between the device and the
Location Information Server (LIS) applies to this document.
The SIP UA in the end host MUST attach available location information
in a Presence Information Data Format Location Object (PIDF-LO)
[RFC4119] when making an emergency call. When constructing the
PIDF-LO, the guidelines in the PIDF-LO profile [RFC5491] MUST be
followed. For civic location information, the format defined in
[RFC5139] MUST be supported.
5.1.4. Emergency Call Identification
To determine which calls are emergency calls, some entity needs to
map a user-entered dial string into this URN scheme. A user may
"dial" 1-1-2, 9-1-1, etc., but the call would be sent to
urn:service:sos. This mapping SHOULD be performed at the endpoint
device.
End hosts MUST use the Service URN mechanism [RFC5031] to mark calls
as emergency calls for their home emergency dial string.
5.1.5. SIP Emergency Call Signaling
SIP signaling capabilities [RFC3261] are REQUIRED for end hosts.
The initial SIP signaling method is an INVITE. The SIP INVITE
request MUST be constructed according to the requirements in
Section 9.2 of [RFC6881].
To enable callbacks, SIP UAs SHOULD place a globally routable URI in
a Contact header field.
Schulzrinne, et al. Informational [Page 15]
^L
RFC 7406 Unauthenticated Emergency Service December 2014
5.1.6. Media
Endpoints MUST comply with the media requirements for endpoints
placing an emergency call as described in Section 14 of [RFC6881].
5.1.7. Testing
The description in Section 15 of [RFC6881] is fully applicable to
this document.
5.2. IAP/ISP Profile
5.2.1. ESRP Discovery
An ISP MUST provision a DHCP server with information about LoST
servers [RFC5223]. An ISP operator may choose to deploy a LoST
server or to outsource it to other parties.
5.2.2. Location Determination and Location Configuration
The ISP is responsible for location determination and exposes this
information to the endpoints via location configuration protocols.
The considerations described in [RFC6444] are applicable to this
document.
The ISP MUST support one of the LCPs described in Section 6.5 of
[RFC6881]. The description in Sections 6.5 and 6.6 of [RFC6881]
regarding the interaction between the end device and the LIS applies
to this document.
The interaction between the LIS at the ISP and the IAP is often
proprietary, but the description in [LIS] may be relevant to the
reader.
5.3. ESRP Profile
5.3.1. Emergency Call Routing
The ESRP continues to route the emergency call to the PSAP
responsible for the physical location of the end host. This may
require further interactions with LoST servers but depends on the
specific deployment.
5.3.2. Emergency Call Identification
The ESRP MUST understand the Service URN mechanism [RFC5031] (i.e.,
the 'urn:service:sos' tree).
Schulzrinne, et al. Informational [Page 16]
^L
RFC 7406 Unauthenticated Emergency Service December 2014
5.3.3. SIP Emergency Call Signaling
SIP signaling capabilities [RFC3261] are REQUIRED for the ESRP. The
ESRP MUST process the messages sent by the client, according to
Section 5.1.5.
Furthermore, if a PSAP wants to support NASP calls, then it MUST NOT
restrict incoming calls to a particular set of ASPs.
6. Lower-Layer Considerations for NAA Case
Some networks have added support for unauthenticated emergency access
while others have advertised these capabilities using layer beacons.
The end host learns about these unauthenticated emergency services
capabilities either from the link-layer type or from advertisement.
It is important to highlight that the NAA case is inherently a Layer
2 problem, and the general form of the solution is to provide an
"emergency only" access type, with appropriate limits or monitoring
to prevent abuse. The described mechanisms are informative in nature
since the relationship to the IETF emergency services architecture is
only indirect, namely via some protocols developed within the IETF
(e.g., EAP and EAP methods) that require extensions to support this
functionality.
This section discusses different methods to indicate an emergency
service request as part of network attachment. It provides some
general considerations and recommendations that are not specific to
the access technology.
To perform network attachment and get access to the resources
provided by an IAP/ISP, the end host uses access technology-specific
network attachment procedures, including, for example, network
detection and selection, authentication, and authorization. For
initial network attachment of an emergency service requester, the
method of how the emergency indication is given to the IAP/ISP is
specific to the access technology. However, a number of general
approaches can be identified:
Link-layer emergency indication: The end host provides an
indication, e.g., an emergency parameter or flag, as part of the
link-layer signaling for initial network attachment. Examples
include an emergency bit signaled in the IEEE 802.16-2009 wireless
link. In IEEE 802.11 WLAN [IEEE802.11], an emergency support
indicator allows the station (i.e., end host in this context) to
download before association to a Network Access Identifier (NAI),
which it can use to request server-side authentication only for an
IEEE 802.1X network.
Schulzrinne, et al. Informational [Page 17]
^L
RFC 7406 Unauthenticated Emergency Service December 2014
Higher-layer emergency indication: Typically, emergency indication
is provided in the network access authentication procedure. The
emergency caller's end host provides an indication as part of the
access authentication exchanges. Authentication via the EAP
[RFC3748] is of particular relevance here. Examples are the EAP
NAI decoration used in Worldwide Interoperability for Microwave
Access (WiMAX) networks and modification of the authentication
exchange in IEEE 802.11 [nwgstg3].
6.1. Link-Layer Emergency Indication
In general, link-layer emergency indications provide good integration
into the actual network access procedure regarding the enabling of
means to recognize and prioritize an emergency service request from
an end host at a very early stage of the network attachment
procedure. However, support in end hosts for such methods cannot be
considered to be commonly available.
No general recommendations are given in the scope of this memo due to
the following reasons:
o Dependency on the specific access technology.
o Dependency on the specific access network architecture. Access
authorization and policy decisions typically happen at different
layers of the protocol stack and in different entities than those
terminating the link-layer signaling. As a result, link-layer
indications need to be distributed and translated between the
different protocol layers and entities involved. Appropriate
methods are specific to the actual architecture of the IAP/ISP
network.
o An advantage of combining emergency indications with the actual
network attachment procedure performing authentication and
authorization is the fact that the emergency indication can
directly be taken into account in the authentication and
authorization server that owns the policy for granting access to
the network resources. As a result, there is no direct dependency
on the access network architecture that otherwise would need to
take care of merging link-layer indications into the
authentication, authorization, and policy decision process.
o EAP signaling happens at a relatively early stage of network
attachment, so it is likely to match most requirements for
prioritization of emergency signaling. However, it does not cover
Schulzrinne, et al. Informational [Page 18]
^L
RFC 7406 Unauthenticated Emergency Service December 2014
early stages of link-layer activity in the network attachment
process. Possible conflicts may arise, e.g., in case of filtering
based on Media Access Control (MAC) in entities terminating link-
layer signaling in the network (like a base station). In normal
operation, EAP-related information will only be recognized in the
Network Access Server (NAS). Any entity residing between the end
host and NAS should not be expected to understand/parse EAP
messages.
o An emergency indication can be given by forming a specific NAI
that is used as the identity in EAP-based authentication for
network entry.
6.2. Securing Network Attachment in NAA Cases
For network attachment in NAA cases, it may make sense to secure the
link-layer connection between the device and the IAP/ISP. This
especially holds for wireless access with examples being access based
on IEEE 802.11 or IEEE 802.16. The latter even mandates secured
communication across the wireless link for all IAP/ISP networks based
on [nwgstg3].
Therefore, for network attachment that is by default based on EAP
authentication, it is desirable also for NAA network attachment to
use a key-generating EAP method (that provides a Master Session Key
(MSK) to the authenticator to bootstrap further key derivation for
protecting the wireless link).
To match the above, the following approaches can be identified:
1) Server-Only Authentication:
The device of the emergency service requester performs an EAP
method with the IAP/ISP EAP server that performs server-side
authentication only. An example for this is EAP-TLS [RFC5216].
This provides a certain level of assurance about the IAP/ISP to
the device user. It requires the device to be provisioned with
appropriate trusted root certificates to be able to verify the
server certificate of the EAP server (unless this step is
explicitly skipped in the device in case of an emergency service
request). This method is used to provide access of devices
without existing credentials to an IEEE 802.1X network. The
details are incorporated in the IEEE 802.11-2012 specification
[IEEE802.11].
Schulzrinne, et al. Informational [Page 19]
^L
RFC 7406 Unauthenticated Emergency Service December 2014
2) Null Authentication:
In one case (e.g., WiMAX), an EAP method is performed. However,
no credentials specific to either the server or the device or
subscription are used as part of the authentication exchange. An
example for this would be an EAP-TLS exchange using the
TLS_DH_anon (anonymous) ciphersuite. Alternatively, a publicly
available static key for emergency access could be used. In the
latter case, the device would need to be provisioned with the
appropriate emergency key for the IAP/ISP in advance. In another
case (e.g., IEEE 802.11), no EAP method is used, so that empty
frames are transported during the over-the-air IEEE 802.1X
exchange. In this case, the authentication state machine
completes with no cryptographic keys being exchanged.
3) Device Authentication:
This case extends the server-only authentication case. If the
device is configured with a device certificate and the IAP/ISP EAP
server can rely on a trusted root allowing the EAP server to
verify the device certificate, at least the device identity (e.g.,
the MAC address) can be authenticated by the IAP/ISP in NAA cases.
An example for this is WiMAX devices that are shipped with device
certificates issued under the global WiMAX device public-key
infrastructure. To perform unauthenticated emergency calls, if
allowed by the IAP/ISP, such devices perform network attachment
based on EAP-TLS with client authentication based on the device
certificate.
7. Security Considerations
The security threats discussed in [RFC5069] are applicable to this
document.
The NASP and NAA cases introduce new vulnerabilities since the PSAP
operator will typically not have any information about the identity
of the caller via the signaling path. Today, in countries where this
functionality is used for Global System for Mobile Communications
(GSM) networks, this has lead to a significant amount of misuse.
In the context of NAA, the IAP and the ISP will probably want to make
sure that the claimed emergency caller indeed performs an emergency
call rather than using the network for other purposes, and thereby
acting fraudulent by skipping any authentication, authorization, and
accounting procedures. By restricting access of the unauthenticated
emergency caller to the LoST server and the PSAP URI, traffic can be
restricted only to emergency calls. This can be accomplished with
traffic separation. However, the details, e.g., for using filtering,
Schulzrinne, et al. Informational [Page 20]
^L
RFC 7406 Unauthenticated Emergency Service December 2014
depend on the deployed ISP architecture and are beyond the scope of
this document.
We only illustrate a possible model. If the ISP runs its own
(caching) LoST server, the ISP would maintain an access control list
populated with IP-address information obtained from LoST responses
(in the mappings). These URIs would either be URIs for contacting
further LoST servers or PSAP URIs. It may be necessary to translate
domain names returned in LoST responses to IP addresses. Since the
media destination addresses are not predictable, the ISP also has to
provide a SIP outbound proxy so that it can determine the media
addresses and add those to the filter list.
For the ZBP case, the additional aspect of fraud has to be
considered. Unless the emergency call traverses a PSTN gateway or
the ASP charges for IP-to-IP calls, there is little potential for
fraud. If the ASP also operates the LoST server, the outbound proxy
MAY restrict outbound calls to the SIP URIs returned by the LoST
server. It is NOT RECOMMENDED to rely on a fixed list of SIP URIs,
as that list may change.
RFC 6280 [RFC6280] discusses security vulnerabilities that are caused
by an adversary faking location information and thereby lying about
the actual location of the emergency caller. These threats may be
less problematic in the context of an unauthenticated emergency when
location information can be verified by the ISP to fall within a
specific geographical area.
8. References
8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261,
June 2002, <http://www.rfc-editor.org/info/rfc3261>.
[RFC4119] Peterson, J., "A Presence-based GEOPRIV Location Object
Format", RFC 4119, December 2005,
<http://www.rfc-editor.org/info/rfc4119>.
[RFC5031] Schulzrinne, H., "A Uniform Resource Name (URN) for
Emergency and Other Well-Known Services", RFC 5031,
January 2008, <http://www.rfc-editor.org/info/rfc5031>.
Schulzrinne, et al. Informational [Page 21]
^L
RFC 7406 Unauthenticated Emergency Service December 2014
[RFC5139] Thomson, M. and J. Winterbottom, "Revised Civic Location
Format for Presence Information Data Format Location
Object (PIDF-LO)", RFC 5139, February 2008,
<http://www.rfc-editor.org/info/rfc5139>.
[RFC5222] Hardie, T., Newton, A., Schulzrinne, H., and H.
Tschofenig, "LoST: A Location-to-Service Translation
Protocol", RFC 5222, August 2008,
<http://www.rfc-editor.org/info/rfc5222>.
[RFC5223] Schulzrinne, H., Polk, J., and H. Tschofenig, "Discovering
Location-to-Service Translation (LoST) Servers Using the
Dynamic Host Configuration Protocol (DHCP)", RFC 5223,
August 2008, <http://www.rfc-editor.org/info/rfc5223>.
[RFC5491] Winterbottom, J., Thomson, M., and H. Tschofenig, "GEOPRIV
Presence Information Data Format Location Object (PIDF-LO)
Usage Clarification, Considerations, and Recommendations",
RFC 5491, March 2009,
<http://www.rfc-editor.org/info/rfc5491>.
[RFC6881] Rosen, B. and J. Polk, "Best Current Practice for
Communications Services in Support of Emergency Calling",
BCP 181, RFC 6881, March 2013,
<http://www.rfc-editor.org/info/rfc6881>.
8.2. Informative References
[IEEE802.11]
IEEE, "IEEE Standard for Information Technology -
Telecommunications and information exchange between
systems - Local and metropolitan area networks - Specific
requirements Part 11: Wireless LAN Medium Access Control
(MAC) and Physical Layer (PHY) Specifications", IEEE Std
802.11-2012, March 2012,
<http://standards.ieee.org/about/get/802/802.11.html>.
[LIS] Winterbottom, J. and S. Norreys, "LIS to LIS Protocol
Requirements", Work in Progress, draft-winterbottom-
geopriv-lis2lis-req-01, November 2007.
[RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H.
Levkowetz, "Extensible Authentication Protocol (EAP)", RFC
3748, June 2004, <http://www.rfc-editor.org/info/rfc3748>.
Schulzrinne, et al. Informational [Page 22]
^L
RFC 7406 Unauthenticated Emergency Service December 2014
[RFC5012] Schulzrinne, H. and R. Marshall, "Requirements for
Emergency Context Resolution with Internet Technologies",
RFC 5012, January 2008,
<http://www.rfc-editor.org/info/rfc5012>.
[RFC5069] Taylor, T., Tschofenig, H., Schulzrinne, H., and M.
Shanmugam, "Security Threats and Requirements for
Emergency Call Marking and Mapping", RFC 5069, January
2008, <http://www.rfc-editor.org/info/rfc5069>.
[RFC5216] Simon, D., Aboba, B., and R. Hurst, "The EAP-TLS
Authentication Protocol", RFC 5216, March 2008,
<http://www.rfc-editor.org/info/rfc5216>.
[RFC5687] Tschofenig, H. and H. Schulzrinne, "GEOPRIV Layer 7
Location Configuration Protocol: Problem Statement and
Requirements", RFC 5687, March 2010,
<http://www.rfc-editor.org/info/rfc5687>.
[RFC6280] Barnes, R., Lepinski, M., Cooper, A., Morris, J.,
Tschofenig, H., and H. Schulzrinne, "An Architecture for
Location and Location Privacy in Internet Applications",
BCP 160, RFC 6280, July 2011,
<http://www.rfc-editor.org/info/rfc6280>.
[RFC6443] Rosen, B., Schulzrinne, H., Polk, J., and A. Newton,
"Framework for Emergency Calling Using Internet
Multimedia", RFC 6443, December 2011,
<http://www.rfc-editor.org/info/rfc6443>.
[RFC6444] Schulzrinne, H., Liess, L., Tschofenig, H., Stark, B., and
A. Kuett, "Location Hiding: Problem Statement and
Requirements", RFC 6444, January 2012,
<http://www.rfc-editor.org/info/rfc6444>.
[esw07] "3rd Standards Development Organziations (SDO) Emergency
Services Workshop", October 30th - November 1st 2007,
<http://www.emergency-services-
coordination.info/2007Nov/>.
[nwgstg3] WiMAX Forum, "WiMAX Forum Network Architecture - Detailed
Protocols and Procedures Base Specification", Stage-3 WMF-
T33-001-R022V02, April 2014, <http://resources.wimaxforum.
org/sites/wimaxforum.org/files/technical_document/2014/05/
WMF-T33-001-R022v02_Network-Stage3-Base.pdf>.
Schulzrinne, et al. Informational [Page 23]
^L
RFC 7406 Unauthenticated Emergency Service December 2014
Acknowledgments
Parts of this document are derived from [RFC6881]. Participants of
the 2nd and 3rd SDO Emergency Services Workshop provided helpful
input.
We would like to thank Richard Barnes, Marc Linsner, James Polk,
Brian Rosen, and Martin Thomson for their feedback at the IETF#80
Emergency Context Resolution with Internet Technology (ECRIT)
meeting.
Furthermore, we would like to thank Martin Thomson and Bernard Aboba
for their detailed document review in preparation of the 81st IETF
meeting. Alexey Melnikov was the General Area (Gen-Art) reviewer. A
number of changes to the document had been made in response to the AD
review by Richard Barnes.
Various IESG members provided review comments, including Spencer
Dawkins, Stephen Farrell, Joel Jaeggli, Barry Leiba, Ted Lemon, and
Pete Resnick.
Schulzrinne, et al. Informational [Page 24]
^L
RFC 7406 Unauthenticated Emergency Service December 2014
Authors' Addresses
Henning Schulzrinne
Columbia University
Department of Computer Science
450 Computer Science Building
New York, NY 10027
United States
Phone: +1 212 939 7004
EMail: hgs+ecrit@cs.columbia.edu
URI: http://www.cs.columbia.edu
Stephen McCann
BlackBerry Ltd
200 Bath Road
Slough, Berks SL1 3XE
United Kingdom
Phone: +44 1753 667099
EMail: smccann@blackberry.com
URI: http://www.blackberry.com
Gabor Bajko
MediaTek
EMail: gabor.bajko@mediatek.com
Hannes Tschofenig
Hall in Tirol 6060
Austria
EMail: Hannes.Tschofenig@gmx.net
URI: http://www.tschofenig.priv.at
Dirk Kroeselberg
Siemens Corporate Technology
Otto-Hahn-Ring 6
Munich 81739
Germany
EMail: dirk.kroeselberg@siemens.com
Schulzrinne, et al. Informational [Page 25]
^L
|
