[Search] [txt|pdfized|bibtex] [Tracker] [Email] [Nits]
Versions: 00 01                                                         
ECRIT                                                     H. Schulzrinne
Internet-Draft                                               Columbia U.
Expires: December 20, 2005                                 June 18, 2005


                Location-to-URL Mapping Protocol (LUMP)
                    draft-schulzrinne-ecrit-lump-00

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on December 20, 2005.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   LUMP (Location-to-URL Mapping Protocol) maps geographic locations,
   described as PIDF-LO objects containing civic or geospatial
   information, to one or more URLs.  It is based on a standard RPC
   mechanism and supports updates.  Clusters are used to ensure scaling
   and reliability.  A flooding mechanism distributes top-level routing
   information.  Naming authority can be delegated in any tree-like
   fashion, with multiple independent authorities for each level.





Schulzrinne             Expires December 20, 2005               [Page 1]


Internet-Draft                    LUMP                         June 2005


Table of Contents

   1.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Definitions  . . . . . . . . . . . . . . . . . . . . . . . . .  3
   3.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
   4.  Introductory Example . . . . . . . . . . . . . . . . . . . . .  5
   5.  Overview of System Operation . . . . . . . . . . . . . . . . .  6
   6.  LUMP System Architecture . . . . . . . . . . . . . . . . . . .  7
   7.  Resolver Discovery . . . . . . . . . . . . . . . . . . . . . . 11
   8.  Protocol Operations  . . . . . . . . . . . . . . . . . . . . . 12
     8.1   Query  . . . . . . . . . . . . . . . . . . . . . . . . . . 12
       8.1.1   Query input  . . . . . . . . . . . . . . . . . . . . . 12
       8.1.2   Query Output . . . . . . . . . . . . . . . . . . . . . 13
       8.1.3   Query Error  . . . . . . . . . . . . . . . . . . . . . 14
     8.2   Update . . . . . . . . . . . . . . . . . . . . . . . . . . 14
       8.2.1   Update Input . . . . . . . . . . . . . . . . . . . . . 14
       8.2.2   Update Output  . . . . . . . . . . . . . . . . . . . . 14
       8.2.3   Update Error . . . . . . . . . . . . . . . . . . . . . 15
     8.3   Summary  . . . . . . . . . . . . . . . . . . . . . . . . . 15
   9.  Configuring Emergency Dial Strings . . . . . . . . . . . . . . 15
   10.   Security . . . . . . . . . . . . . . . . . . . . . . . . . . 16
   11.   References . . . . . . . . . . . . . . . . . . . . . . . . . 17
     11.1  Normative References . . . . . . . . . . . . . . . . . . . 17
     11.2  Informative References . . . . . . . . . . . . . . . . . . 17
       Author's Address . . . . . . . . . . . . . . . . . . . . . . . 18
   A.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 18
       Intellectual Property and Copyright Statements . . . . . . . . 19
























Schulzrinne             Expires December 20, 2005               [Page 2]


Internet-Draft                    LUMP                         June 2005


1.  Terminology

   In this document, the key words "MUST", "MUSTNOT", "REQUIRED",
   "SHALL", "SHALLNOT", "SHOULD", "SHOULDNOT", "RECOMMENDED", "MAY", and
   "OPTIONAL" are to be interpreted as described in RFC 2119 [1] and
   indicate requirement levels for compliant implementations.

2.  Definitions

   In addition to the terms defined in [11], this document uses the
   following terms to describe LUMP:

   authoritative resolver: Resolver that can provide the authoritative
      answer to a particular set of queries, e.g., covering a set of
      PIDF-LO civic labels or a particular region described by a
      geometric shape.  In some (rare) cases of territorial disputes,
      two resolvers may be authoritative for the same region.
   child: A child is a resolver that is authoritative for a subregion of
      a particular server.  A child can in turn be parent.
   cluster: A cluster is a group of resolver (servers) that all share
      the same mapping information and return the same results for
      queries.  Clusters provide redundancy and share query load.
      Clusters are fully-meshed, i.e., they all exchange updates with
      each other.
   complete: A civic mapping region is considered complete if it covers
      a set of hierarchical labels in its entirety, i.e., there is no
      other resolver that covers parts of the same region.  (A complete
      mapping may have children that cover strict subsets of this
      region.)  For example, a region spanning the whole country is
      complete, but a region spanning only some of the streets in a city
      is not.
   hint: A hint provides a mapping from a region to a server name, used
      to short-cut mapping operations.
   first resolver: The first resolver is the resolver contacted directly
      by the ESRP or end system to obtain a mapping.  Architecturally,
      all resolvers can serve as first resolvers, although local policy
      may disallow this.
   leaf: A resolver that has no children.
   mapping: A mapping is a short-hand for 'mapping from a location
      object to one or more URLs describing either another mapping
      server or the desired PSAP URLs.
   parent: A resolver that covers the region of all of its children.  A
      resolver without a parent is a root resolver.
   peer: A resolver maintains associations other resolvers, called
      peers.  Peers synchronize their region maps.






Schulzrinne             Expires December 20, 2005               [Page 3]


Internet-Draft                    LUMP                         June 2005


   querier: The resolver, ESRP or end system requesting a mapping.
   region map: A data object describing a contiguous area covered by a
      resolver, either as a subset of a civic address or a geometric
      object.
   root region map: A data object describing a contiguous area covered
      by a resolver, with no parent map.
   resolver: The server providing (part of) the mapping service.
      Resolvers cooperate to offer the mapping service to queriers.
   root resolver: A resolver without parents is a root resolver.

3.  Introduction

   The location-to-URL mapping protocol (LUMP) maps a civic or
   geospatial ocation, typically specified as a PIDF-LO object, to a set
   of URLs that describe the services available for that location.  The
   initial application is the mapping of locations to the appropriate
   Public Safety Answering Point (PSAP) for emergency calling.  It uses
   a common RPC protocol for its operations.

   LUMP has the following properties, described more fully later in this
   document:

      Satisfies the requirements [11] for mapping protocols.
      LUMP supportes lookup as well as address validation for civic
      addresses.
      LUMP re-uses of the most commonly used RPC protocol, SOAP, with a
      variety of transport and security options.  (Other mechanisms,
      such as XML-RPC, may also work.)  The choice is motivated by the
      availability of numerous well-tested implementations, both open
      and closed source, in just about any conceivable language
      framework (with the possible exception of Fortran and Cobol).
      LUMP uses a robust clustering and replication architectures that
      distributes load as widely as possible, with every resolver as an
      entry point.
      LUMP fully specifies mechanisms for distributing coverage-region
      information.
      Mapping can be based on either civic or geospatial location
      information, with no performance penalty for either.
      LUMP can be deployed bottom-deployment as well as top-down, with
      no need for a global coordinating body or the management of a
      global namespace or DNS name.  The mechanism described does not
      require a country-level mapping server or a set of "root" servers.
      Mapping services can be offered close to the access network, by
      the VSP/ASP, or by independent third parties.
      LUMP supports a mechanism for updates and synchronization.
      LUMP uses automated cluster replication with guaranteed
      convergence properties for maximum robustness [7].




Schulzrinne             Expires December 20, 2005               [Page 4]


Internet-Draft                    LUMP                         June 2005


      LUMP supports split responsibility for a single civic hierarchy
      level.  (Example: A city has three public safety agencies, with
      three PSAPs and independent mapping databases, each covering a
      subset of the streets in the city.)
      LUMP can be extended to additional operations and data types.
      Scalable both horizontally and vertically, i.e., any number of
      servers can support each subset of the mapping information and the
      number of levels is not bounded.
      LUMP minimizes round trips by caching individual mappings as well
      as coverage regions ("hinting").  Unless otherwise desired, there
      is only one message exchange (roundtrip delay) between the ESRP or
      end system requesting a mapping and the designated resolver.  This
      also facilitates reuse of TLS or other secure transport
      association across multiple queries.
      LUMP supports both exact and approximate (best-guess) matching,
      controllable by the querier.
      Mapping servers require only limited mutual trust.

   LUMP combines aspects of directory lookup protocols such as IRIS [8]
   and hierarchical name mapping protocols such as DNS.  However, it
   tries to avoid the constraints imposed by these earlier protocols
   designed for different applications.  For example, it is not bound to
   having a resolver hierarchy that reflects the hierarchical nature of
   a civic location and does not have to try to fit the non-hierarchical
   nature of geospatial addresses into a label hierarchy.  LUMP tries to
   avoid the notion of root servers and allows bottom-up deployment.
   LUMP supoprts updates, as this is necessary to design a robust
   replication system that allows LUMP nodes from different providers to
   become members of a cluster, without relying on unspecified
   protocols.  Unlike DNS, secure channel associations are included in
   the design, as the fan-out at each level of the hierarchy is likely
   to be much lower.  Also, LUMP is not encumbered by label and
   character set restrictions that make use of DNS cumbersome.  Both
   exact and best-effort matches are possible.

4.  Introductory Example

   For this example, assume that there is a SIP-based VSPs V that offers
   a first resolver service to its customers.  The VSP operates a
   cluster of such LUMP servers, advertised to their customers via DHCP.
   For simplicity, we only look at resolution by civic address;
   resolution by geo coordinates work exactly in the same fashion.

   Assume that in the United States, each state operates a resolver,
   covering the counties or parishes in the state.  In our example,
   there is no server covering all of the United States or larger
   regions.  Each county in the state in turn has a list of coverage
   regions, typically consisting of one or more PSAPs.  The state



Schulzrinne             Expires December 20, 2005               [Page 5]


Internet-Draft                    LUMP                         June 2005


   servers have their own database that is not shared with the rest of
   country.  Assume that the caller is located at 123 Broad Avenue,
   Bergen County, Leonia, New Jersey.

   An end user affiliated with V1 needs to place an emergency call and
   dials "9-1-1".  The end device translates this into an "sos" URI,
   which reaches the outbound proxy operated by V1, acting as an ESRP
   here.  The ESRP issues a LUMP request to the local first resolver,
   RV1.  RV1 has stored the coverage regions for all the states and
   matches the request to the New Jersey server, using the PIDF-LO
   location information contained in the SIP INVITE request for the
   lookup operation.  Since it operates in recursive mode, it in turn
   queries the New Jersey server, say, lump:state.nj.example.gov.  That
   server does not want to reveal more detailed information to the
   caller and simple returns a URL for the state-wide emergency services
   proxy, say sip:sos@emergency.nj.example.gov.

   The ESRP routes the call to sip:sos@emergency.nj.example.gov, a SIP
   proxy server.  In one or more resolution steps, that proxy server in
   turn consults a local LUMP server with the same PIDF-LO location
   information.  Assume that the town of Leonia is served by two PSAPs,
   which do not share the same database.  Streets south of a main road
   are served by one, those north by another.  The state LUMP server
   only knows that Leonia has two such servers and issues a request to
   both, i.e., lump:north.leonianj.example.gov and lump:
   south.leonianj.example.gov.  Broad Avenue is divided by this street,
   with 124 Broad Avenue happening to fall north of the dividing line.
   Both LUMP servers get the request and the northern server returns an
   answer, while the southern server indicates that this address is
   outside of its coverage region.  The northern server returns the PSAP
   address, say, sip:police@leonianj.example.gov.  The proxy simply
   routes the call to that location, including the location information.

   This is only one of many possible deployment scenarios.  As noted
   elsewhere, the area served by each server does not have to correspond
   to a particular civic address level or can span multiple levels.  The
   referral graph can differ between civic and geospatial addresses and
   can utilize completely different servers, beyond the first resolver.

5.  Overview of System Operation

   A querier, such as an ESRP or end system, desiring to obtain a
   location mapping follows the steps below:








Schulzrinne             Expires December 20, 2005               [Page 6]


Internet-Draft                    LUMP                         June 2005


   Identify a resolver: Using either DHCP [2], a service location
      protocol such as DNS-SD [9] or SLP [6], a using-protocol
      configuration protocol (e.g., [10] for SIP) or another
      configuration mechanism, the querier obtains one DNS name for a
      LUMP server cluster.
   Determine a first resolver: The domain name obtained in the previous
      step is resolved using the associated SRV [3] resource record.
      The querier chooes the highest-priority server, and continues down
      the list if that server does not respond.  As detailed in the SRV
      specification, a querier chooses randomly among multiple entries
      with the same weight.  The use of DNSsec is RECOMMENDED.
   Send query to first resolver: The querier sends a LUMP query to the
      resolver identified in the previous step, using an existing or
      newly-established secure transport association.  The query
      contains a PIDF-LO [4] object.  The resolver either determines
      that it is authoritative for the location contained in the query
      or it determines the root server for the location using region
      maps stored locally.  In either case, the first resolver issues
      the same query provided by the initial querier to the appropriate
      resolver, which then recurses until it can determine a set of URLs
      for this location.  The resolution path is recorded in the query
      result and returned to the initial querier as an ordered list of
      URL, priority tuples.  If the query does not match any existing
      record, the query returns an appropriate error code.  However, if
      the query allowed for approximate mapping, a URL may be returned,
      with an appropriate warning.

   In the next section, we describe how LUMP works "behind the scenes"
   to perform this resolution.

6.  LUMP System Architecture

   A LUMP system consists of resolvers, organized into one or more
   clusters.  Each cluster member provides the same information and
   offers load scaling and redundancy.  Each cluster may be
   authoritative for a set of location-to-URL bindings or it may simply
   forward queries to other such clusters.  Cluster members
   automatically synchronize their data stores with each other, so that
   updates made in any one cluster node propagate automatically to all
   other cluster nodes, even if some nodes were unavailable when the
   update was performed.  Cluster nodes can (and should) be
   geographically distributed for increased failure tolerance.  It is
   RECOMMENDED that each cluster contains at least two members.  All
   cluster members are listed in a single DNS SRV record, typically, but
   not necessarily, with equal priority.  Since all resolvers within a
   cluster offer equivalent services, we often use the terms resolver
   and resolver cluster interchangeably where the precise host identity
   does not matter.



Schulzrinne             Expires December 20, 2005               [Page 7]


Internet-Draft                    LUMP                         June 2005


   Resolver clusters that are authoritative form a logical resolution
   hierarchy, i.e., resolvers can refer queries for more detailed
   resolution to other resolvers.  The hierarchy is not tied to a
   particular element of the location object.  For example, it does not
   have to follow a country, state/province, city, and street hierarchy.
   We refer to a resolver A referenced by by another resolver B as a
   child resolver in relation to that resolver B.

      /---------\            /-----------\
      | first   |    peer    | first     |
      | resolver|------------| resolver  |
      \----/----/            \-----\-----/
           |                        \
           |                         \
           |                          .
           |                          \
           |                           \
           |                 cluster    \
           |                 ............\.....
           |                 .  ,-,      ,',  .
     /-----\-----\           . |   ------   | .
     | first     |           . |   |    |   | .
     | resolver  |           .  `/'      `/'  .
     \-----------/           .   |        |   .
                             .  ,\,      ,\,  .
                             . |   ------   | .
                             . |   |    |   | .
                             .  `''      `''  .
                             ..................

   In many cases, the degree of the tree will be modest.  For example,
   if there were a resolver for the United States, it might have 51
   child servers for the 50 states and the District of Columbia.  We
   anticipate that fan-outs from 20 to 100 are common, as that seems to
   be a common span of control for each civic administrative level.  For
   fan-outs of this order of magnitude, it becomes feasible for the
   parent resolver to maintain secure channel associations, e.g., via
   TLS, to all of its children, greatly accelerating the resolution
   process.

   Thus, when receiving a query, each resolver checks if the query can
   be ansered locally.  The answer may contain a pointer to another
   resolver.  For example, a server for the state of New Jersey in the
   United States might contain the following database entries

      A1 A2         URL    resolver
   US NJ Atlantic   -
   US NJ Bergen     -



Schulzrinne             Expires December 20, 2005               [Page 8]


Internet-Draft                    LUMP                         June 2005


   US NJ Monmouth   -

   In this example, the resolver has local knowledge that it only needs
   to match country, A1 and A2 elements.  All other PIDF-LO elements are
   ignored in selecting a matching entry.  This example shows a non-leaf
   resolver that only points to other resolvers.

   A leaf resolver contains at least some mapping URL, i.e., URLs of
   PSAPs.  In the example below, Leonia is a town within Bergen county,
   with two streets, Broad and Grand.

   US NJ Bergen Leonia Broad   sip:psap1@leonia.example.com
   US NJ Bergen Leonia Grand   sip:psap2@leonia.example.com  xmpp:

   Above, we assume that streets in Leonia are served by two different
   PSAPs, but contained in the same resolver.

   A more complicated example is the case where PSAPs within a single
   city, for example, cannot agree to operate a single resolver, but
   rather have each PSAP operate its own for its own coverage area.  The
   division might be by street names, sides of street, or even by
   service (fire vs. police.)  The leaf servers have entries as above,
   but the server handling Leonia (e.g., at the county level) would
   contain an entry such as

   US NJ Bergen Leonia lump:r1.example.com,
   lump:r2.example.com    sip:psap@leonia.example.com

   When a query for Grand Avenue, Leonia reaches this resolver, the
   resolver obtains two answers, r1.example.com and r2.example.com, from
   its database.  Since it does not know which of two child servers for
   Leonia knows about the PSAP for Grand Avenue, it sends a query to
   both servers.  Typically, one server will return a failure response,
   indicating that it does not contain such a mapping, while the other
   will respond with a PSAP URL.  If both respond with a failure to
   resolve, the county server in this example would return a default
   PSAP URL, here sip:psap@leonia.example.com.  In the hopefully
   unlikely case of dueling PSAPs that both are claiming to serve Grand
   Avenue, both would return an answer and the combined answer would be
   returned.  This mechanism can also deal with the case that there is
   no single emergency contact, but that different emergency services
   maintain their own citizen-facing call center operations.  In that
   case, both servers might return an answer, one indicating the URL for
   the fire service, another police service.  (Alternatively, the query
   could constrain the service.)

   While the example above returned two PSAP URLs, the same mechanism
   also works at non-leaf nodes to return resolver names.  By explicitly



Schulzrinne             Expires December 20, 2005               [Page 9]


Internet-Draft                    LUMP                         June 2005


   allowing for split authority, we avoid the notion of lame
   delegations.

   (These examples do not imply that the database needs to be
   relational.  An XML database, for example, might be used.)

   As described in more detail later in this document, queries can ask
   to be treated recursively, i.e., where the resolver returns a final
   answer, or iteratively, where it returns a resolver name if it cannot
   provide a PSAP URL.  (This is similar in spirit to the DNS approach.)

   The description above shows how servers that are authoritative for a
   set of mappings obtain an answer, but does not solve the
   bootstrapping problem, namely finding the right first top-level
   server.  This job is performed by so-called first resolvers, i.e., a
   set of resolvers that are directly contacted by queriers.  In DNS
   terminology, LUMP makes all (first) resolvers "root" servers, i.e.,
   capable of finding the right entry point into the tree.  This not
   preclude operating LUMP in a manner similar to DNS, i.e., with a
   small number of root servers that handle the whole world, but we
   believe that coordination, deployment, robustness and administration
   are improved by allowing for a far more distributed entry point.

   In LUMP, each first resolver must be equipped with a map for the top-
   level regions of the world, each served by a hierarchy of
   authoritative servers.  There is no need for these areas to be
   contiguous or exclusive, i.e., it is possible for the same geographic
   spot to be claimed by two entities.  The system works even if only
   small areas of the world participate initially, without having to
   agree on root servers.  Thus, for example, we can defer the issue of
   an international coordination body well into the future.  (Editorial
   aside: the difficulties in deploying ENUM illustrate that such
   coordination causes significant delays and overhead.)

   As noted above, resolvers that are contacted directly by end systems
   or ESRPs are called first resolvers and all such first resolvers
   share a global region map, distributed by an application-layer
   broadcast mechanism.  First resolvers may also be authoritative for a
   particular region, but that is not required.  For example, a voice
   service provider might operate one or more resolvers that are used as
   first resolvers by its customers.  Conversely, a resolver that is
   authoritative for a region may decide not to be able to serve as a
   first resolver and thus does not need to receive global region maps.

   This mechanism does not scale indefinitely, but we believe that it
   readily supports thousands of top-level authoritative resolvers.
   This belief is based on the scaling properties of Usenet, which uses
   a vaguely similar architecture as the one proposed here.



Schulzrinne             Expires December 20, 2005              [Page 10]


Internet-Draft                    LUMP                         June 2005


   The amount of data that needs to be distributed to all first
   resolvers is relatively small and likely to only see incremental
   updates as new regions are added or regions are split.  Longer term,
   it appears likely that the number of such regions corresponds roughly
   to the number of countries, i.e., around 200.  Regions described by
   civic addresses, e.g., a country or state, would have a single PIDF
   entry and a resolver URL.  Regions described by a geospatial boundary
   would contain a GML polygon and a URL.  It is hard to estimate
   bandwidth usage for distributing this information precisely, but
   reasonable estimates are probably measured in kilobytes per year.

   First resolvers peer with other resolvers to exchange top-level LUMP
   request routing information.  Each resolver can peer with as many
   other resolvers as it deems administratively appropriate, as long as
   the set of first resolver clusters form a connected graph.  (It is
   sufficient, albeit unwise, that only one server in a cluster peers
   with other servers.)

   If a new resolver covering a previously uncovered territory joins
   LUMP, it distributes an XMLDSIG-signed coverage map, consisting of a
   set of polygons to indicate geospatial coverage and/or a set of civic
   address labels and values to indicate civic coverage.  These coverage
   regions are signed to prevent spoofing and to allow receiving
   resolvers to make policy choices if the same area is covered by two
   resolvers, e.g., for territories in dispute.  (We assume that top-
   level regions are complete.)

   When receiving a map from a peer, a resolver distributes a copy to
   each of its other peers, flooding the map to the whole graph.

   When a new LUMP resolver joins a cluster or the overall LUMP graph,
   it requests the current set of regions from its peer.  More
   precisely, it uses the XXX synchronization mechanism to determine
   whether it needs to update a peer.  This avoids having multiply-
   connected peers receive multiple copies of the same region map.
   Somewhat simplified, a peer conveys to each peer a table of hash
   values reflecting the region maps it currently has stored.  This
   mechanism also deals with memory loss in a resolver.

   Like DNS zone files, coverage regions carry an identifier and
   timestamp to allow receivers to replace old regions with new regions.
   Region maps do not expire; they are valid until replaced.
   (Expiration is not necessary since new ones are pushed to all
   resolvers.)

7.  Resolver Discovery

   LUMP services may be operated by a variety of organizations and



Schulzrinne             Expires December 20, 2005              [Page 11]


Internet-Draft                    LUMP                         June 2005


   entities, including Internet service providers, Internet access
   providers, voice service providers, and specialized LUMP service
   providers, such as public safety agencies or commercial database
   vendors.  Each of these can either advertise their own servers or
   servers operated by other entities.

   LUMP supports a range of resolver discovery mechanisms.  Essentially,
   any discovery protocol may be used, including SLP [6], DNS-based [9]
   or UDDI.  If the Internet service provider offers LUMP services, it
   may advertise these via DHCP.  If the voice service provider offers
   LUMP services, it may include those in the SIP device configuration
   [10].

   In general, it is advantageous to use a resolver that is close, in
   both a network topology and geographic sense, to the querier.  Such
   proximity reduces the query latency due to reduced round-trip times
   and, in many cases, such servers will already have the necessary
   results cached, or at least pointers to appropriate authoritative
   resolvers and may already have established security associations with
   the appropriate resolver.

8.  Protocol Operations

   In this section, we describe the protocol operations.  Detailed
   information about query and response parameter lists are described in
   WSDL in TBD.

8.1  Query

   The query is the main operation in LUMP.  The query includes a
   PIDF-LO object and returns a list of URLs, in addition to hints that
   can shorten the request path for future queries.

8.1.1  Query input

   location object: The location object used for the query, typically as
      PIDF-LO.
   location object format: The format of the location object, as an
      Internet media type (e.g., text/xml).
   service: The service desired, e.g., "emergency.fire" or "emergency".
   query precision: If set to "exact", the query fails if there is no
      precise match in all relevant location fields.  If "partial", the
      matching algorithm may skip the least-significant parts of a civic
      address.  If "soundex", the matching algorithm may use a sound-
      alike algorithm to find an approximate match.  For example, the
      query "Main St" would match "Maine St".  Other query precisions
      may be defined in the future.  If the receiving resolver does not
      understand the query precision, it uses the "exact" matching



Schulzrinne             Expires December 20, 2005              [Page 12]


Internet-Draft                    LUMP                         June 2005


      algorithm.
   query mode: The query mode can be "recursive" or "iterative".  In a
      recursive query, the resolver contacted for the query in turn
      attempts to resolve the query by contacting other servers if it is
      not authoritative for the location specified.  In an iterative
      query, the resolver will return one or more LUMP URLs, in addition
      to any service URLs, that may be able to provide a more precise
      match.  Resolvers MUST support an iterative query and SHOULD
      support a recursive query.

8.1.2  Query Output

   URL list: The URL list enumerates all URLs discovered during the
      search.  Each list element includes the URL, an indication of the
      service offered by the URL, a positive integer reflecting the
      priority (with zero having the highest priority), a match quality
      indicator (drawn from the values "exact", "partial", "soundex")
      and a host name indicating the resolver that provided this answer.
      If further searches are possible, a lump: URL is included.
      Normally, such lump: URLs are only included if the querier
      requested iterative resolution.  The service indicator is optional
      and included if the URL only offers a subset of services, e.g.,
      police or fire for emergency services.  The match quality is
      included if not all parts of the civic address were used for
      matching.  It indicates the lowest-granularity indication by its
      PIDF-LO element name, such as A6.
   hint list: The hint list includes elements consisting of a LUMP URL,
      an expiration time and either a PIDF-LO containing civic
      information or a polygon.  The hint indicates a region and its
      associated LUMP URL.  For example, a hint with the region "CN=US
      A1= XXX" and URL=lump:nj.example.com would cause the resolver to
      direct all queries for this region to the nj.example.com server.
      The resolver MAY ignore hints.  Hints are accumulated if a query
      is resolved recursively.  To save space in responses, hints for
      geospatial regions may be subsets of the region covered.  For
      example, instead of representing a country with a polygon having
      hundreds of line segments and precisely tracing the boundary, the
      hint may contain a simplified version that is strictly contained
      within the true boundary, but omits some regions close to the
      border.  This causes most queries for that country to be resolved
      via the hinted URL, without having to store detailed maps.
   location object: Optionally, the query MAY return a location object
      that add information missing from the query object.  For example,
      where available, it may provide the geospatial location of a
      landmark specified as a civic address in the query.






Schulzrinne             Expires December 20, 2005              [Page 13]


Internet-Draft                    LUMP                         June 2005


   path: A list of LUMP servers that was used for resolving the query,
      enumerated in the order used.

8.1.3  Query Error

   reason code: Describes why the query failed, including server
      failure, no precise match, invalid data, refusal to recurse.
   reason: Textual description of the error condition.
   path: The list of servers that was used for resolution, with the last
      server in the list as the source of the error.

8.2  Update

   The update operation is used to synchronize a server with a
   particular mapping from a PIDF-LO object to a set of URLs.  This
   operation is used to inject new data into LUMP, by clusters to update
   other members of the cluster and to distribute region maps.

   A receiver of an update behaves slightly differently depending on
   whether the update was received from an external entity (i.e., a node
   that is either a peer or a fellow cluster member) or from a peer or
   cluster member.  If a resolver receives data from outside or a peer,
   it updates all fellow cluster members.  If a node receives data from
   a peer or data that is marked as global from outside, it also updates
   all other peers.  This floods all global data to all LUMP servers.

8.2.1  Update Input

   location object type: A media type string indicating the type of the
      location object.
   global: A flag that indicates whether this object is a top-level
      region description and thus to be flooded, or not.  (As noted
      elsewhere, accidental flooding of non-top-level regions does no
      harm beyond wasting bandwidth between resolvers.)
   region: The region, typically expressed as PIDF-LO or a polygon.
   URL list: The list of URLs (services or LUMP) that are associated
      with that region.
   replaces: Identifies, by hash value, the object that it replaces.
      This also allows a region to grow or shrink after an update.
   expires: The time that the region-to-location mapping expires.

   The location object, expiration time and URL are signed using
   XMLDSIG.

8.2.2  Update Output

   TBD




Schulzrinne             Expires December 20, 2005              [Page 14]


Internet-Draft                    LUMP                         June 2005


8.2.3  Update Error

   TBD

8.3  Summary

   Resolvers within a cluster or peers exchange summary messages.  A
   summary message contains a list of hashes that the sending node
   currently has within its object cache.  The hashes include the same
   material covered by the XMLDSIG in the Update request above, i.e.,
   include the expiration time.  TBD: Bit vector instead?

   If the recipient determines that the sender of the summary is missing
   a particular element, it sends the missing pieces using Update
   requests.

   TBD: There are more efficient synchronization mechanisms, partially
   depending on the assumptions on the updates.  See mSLP.

9.  Configuring Emergency Dial Strings

   For the foreseeable future, some user devices and software will
   emulate the user interface of a telephone, i.e., the only way to
   enter call address information is via a 12-button keypad.  Also,
   emergency numbers are likely to used until essentially all
   communication devices feature IP connectivity and an alphanumeric
   keyboard.  Unfortunately, more than 60 emergency numbers are in use
   throughout the world, with many of those numbers serving non-
   emergency purposes elsewhere, e.g., identifying repair or directory
   services.  Countries also occasionally change their emergency
   numbers, for example, by selecting a number already in use in other
   countries of a region (such as 112 in Europe).

   Thus, a system that allows devices to be used internationally to
   place emergency calls needs to allow devices to discover emergency
   numbers automatically.  In the system proposed, these numbers are
   strictly of local significance and are generally not visible in call
   signaling messages.

   For simplicity of presentation, this section assumes that emergency
   numbers are valid throughout a country, rather than, say, be
   restricted to a particular city.  This appears likely to be true in
   countries likely to deploy IP-based emergency calling solutions.  In
   addition, the solution proposed also works if certain countries do
   not use a national emergency number.  There is no requirement that a
   country uses a single emergency number for all emergency services,
   such as fire, police, or rescue.




Schulzrinne             Expires December 20, 2005              [Page 15]


Internet-Draft                    LUMP                         June 2005


   For the best user experience, systems should be able to discover two
   sets of numbers, namely those used in the user's home country and in
   the country the user is currently visiting.  The user is most likely
   to remember the former, but a companion borrowing a device in an
   emergency may only know the local emergency numbers.

   Determining home and local emergency numbers is a configuration
   problem, but unfortunately, existing configuration mechanisms are
   ill-suited for this purpose.  For example, a DHCP server might be
   able to provide the local emergency number, but not the home numbers.
   Similarly, SIP configuration would be able to provide the numbers
   valid at the location of the SIP service provider, but even a SIP
   service provider with national footprint may serve customers that are
   visiting any number of other countries.

   Since dial strings are represented as URLs [5], the problem of
   determining local and home emergency numbers is a problem of mapping
   locations to a set of URLs, i.e., exactly the problem that LUMP is
   solving already.

   The mapping operation is almost exactly the same as for determining
   the emergency service URL.  The only difference is that if a querier
   knows the civic location at least to the country level, it will use a
   query where the PIDF-LO only includes the country code.  If it only
   knows its geospatial location, it has to include that longitude and
   latitude.  The querier uses the service identifiers
   "dialstring.emergency", "dialstring.emergency.fire", etc.  The
   resolver returns the appropriate set of URLs and, if a geospatial
   location was used in the query, the current region map for the
   country.

   Within the LUMP system, emergency calling regions are global
   information, i.e., they are distributed using the peer broadcast
   mechanism described earlier.  Thus, every resolver has access to all
   region mappings.  This makes it possible that a querier can ask any
   resolver for this information, reducing the privacy threat of
   revealing its location outside of an emergency call.  The privacy
   threat is further reduced by the long-lived nature of the
   information, i.e., in almost all cases, the querier will have already
   cached the national boundary information or country information on
   its first visit to the country, using the normal LUMP hinting
   mechanism.  (Given the modest storage needs, a querier could even
   cache all boundary maps.)

10.  Security

   LUMP addresses the following security issues, usually through the
   underlying transport security associations:



Schulzrinne             Expires December 20, 2005              [Page 16]


Internet-Draft                    LUMP                         June 2005


   Server impersonation: Queriers, cluster members and peers can assure
      themselves of the identity of the remote party by using the
      facilities in the underlying channel security mechanism, such as
      TLS.
   Query or query result corruption: To avoid that an attacker can
      modify the query or its result, LUMP RECOMMENDS the use of channel
      security, such as TLS.
   Region corruption: To avoid that a third party or an untrustworthy
      member of the LUMP server population introduces a region map that
      it is not authorized for, any peer introducing a new region map
      MUST sign the object by encapsulating the data into a CMS wrapper.
      A recipient MUST verify, through a local policy mechanism, that
      the signing entity is indeed authorized to speak for that region.
      Determining who can speak for a particular region is inherently
      difficult unless there is a small set of authorizing entities that
      resolvers can trust.  Receiving resolvers should be particularly
      suspicious if an existing region map is replaced with a new one
      with a new resolver address.

   Additional threats that need to be addressed by operational measures
   include denial-of-service attacks.

11.  References

11.1  Normative References

   [1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
        Levels", BCP 14, RFC 2119, March 1997.

   [2]  Droms, R., "Dynamic Host Configuration Protocol", RFC 2131,
        March 1997.

   [3]  Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
        specifying the location of services (DNS SRV)", RFC 2782,
        February 2000.

   [4]  Peterson, J., "A Presence-based GEOPRIV Location Object Format",
        draft-ietf-geopriv-pidf-lo-03 (work in progress),
        September 2004.

   [5]  Rosen, B., "Dialstring parameter for the sip URI",
        draft-rosen-iptel-dialstring-01 (work in progress),
        February 2005.

11.2  Informative References

   [6]   Guttman, E., Perkins, C., Veizades, J., and M. Day, "Service
         Location Protocol, Version 2", RFC 2608, June 1999.



Schulzrinne             Expires December 20, 2005              [Page 17]


Internet-Draft                    LUMP                         June 2005


   [7]   Zhao, W., Schulzrinne, H., and E. Guttman, "Mesh-enhanced
         Service Location Protocol (mSLP)", RFC 3528, April 2003.

   [8]   Newton, A. and M. Sanz, "IRIS: The Internet Registry
         Information Service (IRIS) Core Protocol", RFC 3981,
         January 2005.

   [9]   Cheshire, S., "DNS-Based Service Discovery",
         draft-cheshire-dnsext-dns-sd-02 (work in progress),
         February 2004.

   [10]  Petrie, D., "A Framework for Session Initiation Protocol User
         Agent Profile Delivery", draft-ietf-sipping-config-framework-06
         (work in progress), February 2005.

   [11]  Schulzrinne, H. and R. Marshall, "Requirements for Emergency
         Context Resolution with Internet Technologies",
         draft-schulzrinne-ecrit-requirements-00 (work in progress),
         May 2005.


Author's Address

   Henning Schulzrinne
   Columbia University
   Department of Computer Science
   450 Computer Science Building
   New York, NY  10027
   US

   Phone: +1 212 939 7004
   Email: hgs+ecrit@cs.columbia.edu
   URI:   http://www.cs.columbia.edu

Appendix A.  Acknowledgments

   provided helpful comments.














Schulzrinne             Expires December 20, 2005              [Page 18]


Internet-Draft                    LUMP                         June 2005


Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Disclaimer of Validity

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Copyright Statement

   Copyright (C) The Internet Society (2005).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.


Acknowledgment

   Funding for the RFC Editor function is currently provided by the
   Internet Society.




Schulzrinne             Expires December 20, 2005              [Page 19]