Network Working Group                                     H. Schulzrinne
Internet-Draft                                               Columbia U.
Expires: April 18, 2005                                         B. Rosen
                                                        October 18, 2004

           Emergency Services for Internet Telephony Systems

Status of this Memo

   This document is an Internet-Draft and is subject to all provisions
   of section 3 of RFC 3667.  By submitting this Internet-Draft, each
   author represents that any applicable patent or other IPR claims of
   which he or she is aware have been or will be disclosed, and any of
   which he or she become aware will be disclosed, in accordance with
   RFC 3668.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at

   The list of Internet-Draft Shadow Directories can be accessed at

   This Internet-Draft will expire on April 18, 2005.

Copyright Notice

   Copyright (C) The Internet Society (2004).


   Summoning emergency help is a core feature of telephone networks.
   This document describes how the Session Initiation Protocol (SIP) can
   be used to provide advanced emergency services for voice-over-IP
   (VoIP).  The architecture employs standard SIP features and requires
   no new protocol mechanisms.  DNS is used to map civil and geospatial
   locations to the appropriate emergency call center.

Schulzrinne & Rosen      Expires April 18, 2005                 [Page 1]

Internet-Draft               Emergency Arch                 October 2004

Table of Contents

   1.  Requirements notation  . . . . . . . . . . . . . . . . . . . .  4
   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  4
   3.  Overview . . . . . . . . . . . . . . . . . . . . . . . . . . .  4
   4.  Identifying an Emergency Call  . . . . . . . . . . . . . . . .  6
   5.  Location and Its Role in an Emergency Call . . . . . . . . . .  7
     5.1   Introduction . . . . . . . . . . . . . . . . . . . . . . .  7
     5.2   Types of Location Information  . . . . . . . . . . . . . .  7
     5.3   Sources of Location Information  . . . . . . . . . . . . .  8
       5.3.1   Manually-Entered Location Information  . . . . . . . .  9
       5.3.2   End-System Measured Location Information . . . . . . .  9
       5.3.3   Third-party Measured Location Information  . . . . . .  9
       5.3.4   Conveying Location to End Systems  . . . . . . . . . . 10
     5.4   Using Location Information for Call Routing  . . . . . . . 10
     5.5   Mid-Call Location Information  . . . . . . . . . . . . . . 10
     5.6   Civic Address Verification . . . . . . . . . . . . . . . . 11
   6.  Routing the Call to the PSAP . . . . . . . . . . . . . . . . . 11
     6.1   Routing the First Request  . . . . . . . . . . . . . . . . 11
     6.2   DNS-based Mapping from Civic Coordinates to PSAP URIs  . . 13
     6.3   Updating Location Information  . . . . . . . . . . . . . . 14
   7.  Signaling of Emergency Calls . . . . . . . . . . . . . . . . . 14
   8.  Preventing Call Misdirection . . . . . . . . . . . . . . . . . 15
   9.  Including a Valid Call-Back Identifier . . . . . . . . . . . . 15
   10.   Mid-Call Services and Behavior . . . . . . . . . . . . . . . 15
   11.   Requirements for SIP Proxy Servers . . . . . . . . . . . . . 15
   12.   Configuration  . . . . . . . . . . . . . . . . . . . . . . . 16
   13.   Testing  . . . . . . . . . . . . . . . . . . . . . . . . . . 17
     13.1  Testing Mechanism  . . . . . . . . . . . . . . . . . . . . 17
     13.2  Manual Testing . . . . . . . . . . . . . . . . . . . . . . 17
     13.3  Automatic 'sos' Resolution Testing . . . . . . . . . . . . 17
   14.   Requirements for SIP User Agents . . . . . . . . . . . . . . 18
     14.1  Emergency call taker . . . . . . . . . . . . . . . . . . . 18
     14.2  Calling users  . . . . . . . . . . . . . . . . . . . . . . 18
   15.   Example Call Flows . . . . . . . . . . . . . . . . . . . . . 19
   16.   Alternatives Considered  . . . . . . . . . . . . . . . . . . 19
     16.1  tel URIs . . . . . . . . . . . . . . . . . . . . . . . . . 19
     16.2  DHCP for Configuring the PSAP URI  . . . . . . . . . . . . 19
   17.   Security Considerations  . . . . . . . . . . . . . . . . . . 20
     17.1  Caller Authentication  . . . . . . . . . . . . . . . . . . 20
     17.2  PSAP Impersonation . . . . . . . . . . . . . . . . . . . . 20
     17.3  Call Signaling Integrity . . . . . . . . . . . . . . . . . 20
     17.4  Media Integrity and Confidentiality  . . . . . . . . . . . 20
     17.5  PSAP Hiding  . . . . . . . . . . . . . . . . . . . . . . . 21
   18.   Changes Since the Last Version . . . . . . . . . . . . . . . 21
   19.   Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 21
   20.   References . . . . . . . . . . . . . . . . . . . . . . . . . 21
   20.1  Normative References . . . . . . . . . . . . . . . . . . . . 21

Schulzrinne & Rosen      Expires April 18, 2005                 [Page 2]

Internet-Draft               Emergency Arch                 October 2004

   20.2  Informative References . . . . . . . . . . . . . . . . . . . 24
       Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 25
       Intellectual Property and Copyright Statements . . . . . . . . 26

Schulzrinne & Rosen      Expires April 18, 2005                 [Page 3]

Internet-Draft               Emergency Arch                 October 2004

1.  Requirements notation

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in [RFC2119].

2.  Terminology

   (Emergency) call taker: An emergency call taker is the person that
      answers an emergency call, typically located in an emergency call
   ECC (emergency control center): Facilities used by emergency
      organizations to accept and handle emergency calls.  A PSAP
      (below) forwards emergency calls to the emergency control center,
      which dispatches polic, fire and rescue services.  An ECC serves a
      limited geographic area.  A PSAP and ECC can be combined into one
      facility.  (ETSI SR 002 180 definition)
   ESRP (emergency service routing proxy): SIP proxy that routes
      incoming emergency calls to the appropriate ECC.
   PSAP (public safety answering point): Physical location where
      emergency calls are received under the responsibility of a public
      authority.  (This terminology is used by both ETSI, in ETSI SR 002
      180, and NENA.) In the United Kingdom, PSAPs are called Operator
      Assistance Centres, in New Zealand Communications Centres.
   SIP proxy: see [RFC3261].
   SIP UA (user agent): see [RFC3261].
   Stationary device (user): User agent that is connected to the network
      at a fixed, long-term-stable geographic location.  Examples
      include a home PC or a payphone.
   Nomadic device (user): User agent that is connected to the network
      temporarily, for relatively short durations, but does not move
      significantly during the lifetime of a network connection or
      during the emergency call.  Examples include a laptop using an
      802.11 hotspot or a desk IP phone that is moved from one cubicle
      to another.
   Mobile device (user): User agent that changes geographic location and
      possibly its network attachment point during an emergency call.

3.  Overview

   Summoning police, the fire department or an ambulance in emergencies
   is one of the fundamental and most-valued functions of the telephone.
   As telephone functionality moves from circuit-switched telephony to
   Internet telephony, its users rightfully expect that this core
   functionality works at least as well as for the older technology.
   However, many of the technical advantages of Internet telephony
   require re-thinking of the traditional emergency calling
   architecture.  This challenge also offers an opportunity to improve

Schulzrinne & Rosen      Expires April 18, 2005                 [Page 4]

Internet-Draft               Emergency Arch                 October 2004

   the working of emergency calling technology, while potentially
   lowering its cost and complexity.

   It is beyond the scope of this document to enumerate and discuss all
   the differences between traditional (PSTN) and Internet telephony,
   but the core differences can be summarized as separation of signaling
   and media data, the emergence of application-independent carriers,
   and the potential mobility of all end systems, including landline
   systems and not just those using radio access technology.

   This document focuses on how emergency call centers (PSAPs) (Section
   2) can natively handle Internet telephony emergency calls, rather
   than describing how circuit-switched PSAPs can handle VoIP calls.
   However, in many cases, PSAPs making the transition from
   circuit-switched interfaces to packet-switched interfaces may be able
   to use some of the mechanisms described here, in combination with
   gateways that translate packet-switched calls into legacy interfaces,
   e.g., to continue to be able to use existing call taker equipment.

   Existing emergency call systems are organized nationally; there are
   currently no international standards.  However, Internet telephony
   does not respect national boundaries, and thus an international
   standard is required.

   Furthermore, VoIP endpoints can be connected through tunneling
   mechanisms such as virtual private networks (VPNs).  This
   significantly complicates emergency calling, because the location of
   the caller and the first element that routes emergency calls can be
   on different continents, with different conventions and processes for
   handling of emergency calls.  The IETF has historically refused to
   create national variants of its standards.  Thus, this document
   attempts to take into account best practices that have evolved for
   circuit switched PSAPs, but makes no assumptions on particular
   operating practices currently in use, numbering schemes or
   organizational structures.

   This document assumes that PSAP interface is using the Session
   Initation Protocol (SIP).  Use of a single protocol greatly
   simplifies the design and operation of the emergency calling
   infrastructure.  Only peer-to-peer protocols such as H.323, ISUP and
   SIP are suitable for inter-domain communications, ruling out
   master-slave protocols such as MGCP or H.248/Megaco.  The latter
   protocols can natually be used by the enterprise or carrier placing
   the call, but any such call would reach the PSAP through a media
   gateway controller, similar to how interdomain VoIP calls would be
   placed.  Other signaling protocols may also use protocol translation
   to communicate with a SIP-enabled PSAP.

Schulzrinne & Rosen      Expires April 18, 2005                 [Page 5]

Internet-Draft               Emergency Arch                 October 2004

   Existing emergency services rely exclusively on voice and
   conventional text telephony (known as TDD in the United States) media
   streams.  However, more choices of media offer additional ways to
   communicate, evaluate and assist callers and call takers to handle
   emergency calls.  For example, instant messaging and video could
   improve the ability to evaluate the situation and provide appropriate
   instruction prior to arrival of emergency crews.  Thus, the
   architecture described here supports the creation of sessions of any
   media type, negotiated between the caller and PSAP using existing SIP
   protocol mechanisms [RFC3264].

   While, traditionally, emergency services have been summoned by voice
   calls only, this document does not rule out the use of additional
   media during an emergency call, both to support callers with
   disabilities (e.g., through interactive text or video communications)
   and to provide additional information to the call taker and caller.
   For example, video from the caller to the PSAP may allow the call
   taker to better assess the emergency situation; a video session from
   the PSAP to the emergency caller may allow the call taker to provide
   instructions for first aid.

   The choice of media and encodings is negotiated on a call-by-call
   basis using standard SIP mechanisms [RFC3264].  To ensure that at
   least one common means of communications, this document recommends
   certain minimal capabilities in Section 14 that call taker user
   agents and PSAP-operated proxies should possess.

   This document does not prescribe the detailed network architecture
   for PSAPs or collection of PSAPs.  For example, it does not describe
   where PSAPs may place firewalls or how many SIP proxies they should

   This document does not introduce any new SIP header fields, request
   methods, status codes, message bodies, or events.  User agents
   unaware of the recommendations in this draft can place emergency
   calls, but may not be able to provide the same user interface
   functionality.  The document suggests behavior for proxy servers, in
   particular outbound proxy servers.

4.  Identifying an Emergency Call

   Using the PSTN, emergency help can often be summoned at a designated,
   widely known number, regardless of where the telephone was purchased.
   However, this number differs between localities, even though it is
   often the same for a country or region (such as many countries in the
   European Union).  For end systems based on the Session Initiation
   Protocol (SIP), it is desirable to have a universal identifier,
   independent of location, to simplify the user experience, allow the

Schulzrinne & Rosen      Expires April 18, 2005                 [Page 6]

Internet-Draft               Emergency Arch                 October 2004

   automated inclusion of location information and to allow the device
   and other entities in the call path to perform appropriate

   As part of the overall emergency calling architecture, we define a
   common user identifier, "sos", as the contact mechanism for emergency
   assistance.  We refer to this URI as the "emergency calling URI".
   The calling user agent sets both the "To" header and the request-URI
   to the emergency URI, so that entities after the ESRP can still
   readily determine that this is an emergency call.  Details are
   described in [I-D.ietf-sipping-sos].  The draft also discusses how a
   user agent or outbound proxy determines whether a dialed number
   represents an emergency number and thus should be translated into a
   "sos" URI.

   In addition, user agents SHOULD detect emergency calls following
   local emergency calling conventions.  There are two local
   conventions, namely those local to the user's SIP domain, e.g., a
   user's network at work, and those at the caller's current geographic
   location, e.g., while traveling.  The former can be obtained using
   SIP/XCAP and DNS configuration mechanisms (Section 12).

   Location information can be provided by the user agent or a proxy.
   If the user agent provides this information, the user agent needs to
   be able to determine that a call is indeed an emergency call as it is
   unlikely to include location information in each call.

5.  Location and Its Role in an Emergency Call

5.1  Introduction

   Caller location plays a central role in routing emergency calls.  For
   practical reasons, each PSAP generally handles only calls for a
   certain geographic area.  Other calls that reach it by accident must
   be manually re-routed (transferred) to the appropriate PSAP,
   increasing call handling delay and the chance for errors.  The area
   covered by each PSAP differs by jurisdiction, where some countries
   have only a small number of PSAPs, while others devolve PSAP
   responsibilities down to the community level.

   In most cases, PSAPs cover at least a city or town, but there are
   some areas where PSAP coverage areas follow old telephone rate center
   boundaries and may straddle more than one city.

5.2  Types of Location Information

   There are four primary types of location information:  civic, postal,
   geospatial, and cellular cell tower and sector.

Schulzrinne & Rosen      Expires April 18, 2005                 [Page 7]

Internet-Draft               Emergency Arch                 October 2004

   Civic: Civic location information describes the location of a person
      or object by a floor and street address that corresponds to a
      building or other structure.  (This is sometimes also called
      "civic" location information.)
   Postal: Postal addresses are similar to civic addresses, but the may
      contain post office boxes or street addresses that do not
      correspond to an actual building.  Also, the name of the post
      office sometimes does not correspond to the actual community name.
      Postal addresses are generally unsuitable for emergency call
      routing, but may be the only address available to a service
      provider, derived from billing records.
   Geospatial: Geospatial addresses contain longitude, latitude and
      altitude information.
   Cell tower/sector: Cell tower and sectors identify the cell tower and
      the antenna sector that the mobile device is currently using.
      (Cell/sector information could also be transmitted as an
      irregularly shaped polygon of geospatial coordinates reflecting
      the likely geospatial location of the mobile device, but since
      these boundaries are not sharp, transmitting the raw information
      is probaby preferable.) Mobile systems, possible in conjunction
      with the cell site location, may also transmit mobile country code
      (MCC) and mobile network code (MNC) of the host network.  This MCC
      and MNC constitutes location information, in that it tells that
      the user (with border constraints) is in a particular country.  In
      some cases, this may be sufficient for determining the PSAP to be

5.3  Sources of Location Information

   Location information can be entered by the user or installer of a
   device ("manual configuration"), can be measured by the end system,
   can be conveyed to the end system or can be measured by a third party
   and inserted into the call signaling.  We discuss these in detail

   In some cases, an entity may have multiple sources of location
   information, possibly partially contradictory.  This is particularly
   likely if the location information is determined both by the end
   system and a third party.  This document provides no recommendation
   on how to reconcile conflicting location information or which one is
   to be used by routing elements.  Conflicting location information is
   particularly harmful if it points to multiple distinct PSAPs.  If
   there is no other basis for choice, the ESRP SHOULD determine the
   appropriate PSAP for all location objects and, if there is a
   conflict, route based on the most accurate one.

   All location objects MUST be delivered to the PSAP.  To facilitate
   such policy decisions, location information SHOULD contain

Schulzrinne & Rosen      Expires April 18, 2005                 [Page 8]

Internet-Draft               Emergency Arch                 October 2004

   information about the source of data, such as GPS, manually entered
   or based on subscriber address information.  In addition, the author
   of the location information SHOULD be included.

   TBD:  SIP system should indicate which location information has been
   used for routing, so that the same location information is used for
   all call routing decisions.  Otherwise, two proxies might pick
   different location information from the call request, each pointing
   to the other one.

   End systems and network elements can derive location information from
   a variety of sources.  It is not the goal of this document to
   exhaustively enumerate them, but we provide a few common examples in
   the sections below.

5.3.1  Manually-Entered Location Information

   Location information can be maintained by the end user or the
   installer of a network connection ("wire database").  In LANs, wire
   databases map Ethernet switch ports to office locations.  In DSL
   installations, the local telephone carrier maintains a mapping of
   wire pairs to subscriber addresses.

   Even for IEEE 802.11 wireless access points, wire data bases may
   provide sufficient location accuracy.

   Location information added by end users is almost always inferior to
   measured or wire database information, as users may mistype civic
   location information, may not know the meaning of geospatial
   coordinates or may use address information that does not correspond
   to a recognized civic address.

   Wire databases are likely to be the most promising solution for
   residential users where a service provider knows the customer's
   service address.  The service provider can then perform address
   verification, similar to the current system in some jurisdictions.

5.3.2  End-System Measured Location Information

   GPS: Global Positioning System (GPS) information is generally only
      available where there is a clear view of a large swath of the sky.
      It is accurate to tens of feet.

5.3.3  Third-party Measured Location Information

Schulzrinne & Rosen      Expires April 18, 2005                 [Page 9]

Internet-Draft               Emergency Arch                 October 2004

   Wireless triangulation: Elements in the network infrastructure
      triangulate end systems based on signal strength or time of
      arrival.  Signal strength may be reported by access points,
      special measurement devices or the end systems.
   Location beacons: A short range wireless beacon, e.g., using
      BlueTooth or infrared, announces its location to mobile devices in
      the vicinity.

5.3.4  Conveying Location to End Systems

   Unless a user agent has access to locally measured location
   information, it MUST use DHCP to obtain location information.  DHCP
   can deliver civic [I-D.ietf-geopriv-dhcp-civil] or geospatial
   [RFC3825] information.  User agents MUST support both formats.  Note
   that a user agent can use DHCP, via the INFORM request, even if it
   uses other means to acquire its IP address.

   In addition, link-layer mechanisms such as the Link-Layer Discovery
   Protocol (LLDP, IEEE 802.1ab), with proposed extensions, MAY also be
   used to deliver such information.

5.4  Using Location Information for Call Routing

   Since all existing emergency services have limited geographic and
   jurisdictional coverage, all emergency calls need to be routed to the
   appropriate PSAP.  Rather than to the geographically closest PSAP,
   calls need to be directed to the most jurisdictionally appropriate
   one, which may well be further away.

5.5  Mid-Call Location Information

   Location information may not be available at call setup time.  For
   example, if a GPS-enabled cell phone is turned on and then
   immediately places an emergency call, it can take an additional 20-25
   seconds before the cell phone acquires a GPS fix and its location.
   Thus, while it is necessary and expedient to include caller location
   information in the call setup message, this is not sufficient in all
   circumstances.  In some cases, the initial call setup will proceed
   based on, for example, cell and sector information and then add
   location information during the call, rather than delaying the
   initial call setup by an unacceptable amount of time.

   In addition, the location of a mobile caller, e.g., in a vehicle or
   aircraft, can change significantly during the emergency call.

   Location updates MAY be conveyed either in re-INVITE or UPDATE
   messages or the PSAP may subscribe to the location information of the
   caller, using SIP presence mechanisms (RFC 3265 [RFC3265]RFC 3856

Schulzrinne & Rosen      Expires April 18, 2005                [Page 10]

Internet-Draft               Emergency Arch                 October 2004

   [RFC3856]).  Authorization for subscriptions is for future study.

5.6  Civic Address Verification

   Users of SIP endpoints must be able to verify that their address is
   valid ahead of an actual emergency call.  For example, in the United
   States, the Master Street Address Guide (MSAG) records all valid
   street addresses and is used to ensure that phone billing records
   correspond to valid emergency service street addresses.

   There are several ways to verify this information, depending on its
   source.  If the location information is provided by the network
   service provider via DHCP, SIP end systems SHOULD display this
   information at boot-up and at regular intervals thereafter to allow
   users to confirm that the information is correct.

   If the DNS emergency services directory contains street-level
   addresses rather than just towns or counties, an end system can
   verify that a civic address, configured manually or via DHCP, exists.

6.  Routing the Call to the PSAP

6.1  Routing the First Request

   Emergency calls are routed based on one or more of the following
   criteria expressed in the call setup request (INVITE):

   Location: Since each PSAP serves a limited geographic region and
      transferring existing calls delays the emergency response, calls
      need to be routed to the most appropriate PSAP.  In this
      architecture, emergency call setup requests contain location
      information, expressed in civic or geospatial coordinates, that
      allows such routing.  If there is no or imprecise (e.g., cell
      tower and sector) information at call setup time, an on-going
      emergency call may also be transferred to another PSAP based on
      location information that becomes available in mid-call.
   Type of emergency service: In some jurisdictions, emergency calls for
      fire, police, ambulance or mountain rescue are directed to
      emergency-specific PSAPs.  We support this mechanism by optionally
      labeling calls with a service identifier [I-D.ietf-sipping-sos].
      Using the caller preferences [I-D.ietf-sip-callerprefs]
      mechanisms, ESRPs can then route labeled calls appropriately.
   Media capabilities of caller: In some cases, emergency call centers
      for specific caller media preferences, such as typed text or
      video, are separate from voice systems.  Also, even if media
      capability does not affect the selection of the PSAP, there may be
      call takers within the PSAP that are specifically trained, e.g.,
      in interactive text or sign language communications.  Again, we

Schulzrinne & Rosen      Expires April 18, 2005                [Page 11]

Internet-Draft               Emergency Arch                 October 2004

      use the callee capabilities [I-D.ietf-sip-callee-caps] mechanism
      to label and route such calls.

   Call routing can be performed in three different ways:

   1.  The calling user agent can route the call to the PSAP URI it
       received in a DHCP or SIP configuration message (not discussed
       further; TBD!).  This is generally only possible for stationary
       and nomadic devices.  In that case, the DHCP server has to be
       able to map callers to PSAP URIs.
   2.  The calling user agent uses DNS to translate a geospatial or
       civic address into a URI identifying a PSAP or group of PSAPs.
       This mode can be used by stationary, nomadic and mobile devices.
   3.  Any SIP proxy along the call path from the mobile device to the
       home domain can recognize an emergency call and route it based on
       the location information contained in the INVITE request, using
       DNS or other mechanisms not defined in this document.

   Each proxy receiving an emergency call request, identified as
   described in Section 4, attempts to route the call to the most
   appropriate PSAP, group of PSAPs or another, more suitable ESRP.
   Similarly, a user agent can also directly route emergency calls if it
   has location information, either obtained locally or from a redirect
   response provided by the outbound proxy.  There are three types of
   routing actions:  default routing, DNS-based routing and local
   routing.  Not all routing actions can take all three dimensions
   (location, type of service, capabilities) into account.

   ESRPs and user agents using default routing forward all emergency
   call requests to one designated ESRP, regardless of the location of
   the caller, type of service or media capabilities.

   ESRPs and user agents using DNS-based routing employ the mechanism in
   [I-D.rosen-dns-sos] to route calls to another ESRP that is qualified
   to handle the emergency call.

   Finally, an ESRP MAY use a local database or other query protocols to
   perform call routing using location, type of service or callee
   capabilities.  The details of such a database are beyond the scope of
   this document.

   Call routing may combine several of these methods.  For example, an
   outbound proxy might route all emergency calls to a designated ESRP.
   The ESRP extracts civic location information from the request and
   converts the elements into a DNS query, using the "" domain,
   starting from the countrycode and adding the A1 through A6 elements
   of the civic location contained [I-D.ietf-geopriv-pidf-lo] in the
   call.  It starts from the most precise location and strips location

Schulzrinne & Rosen      Expires April 18, 2005                [Page 12]

Internet-Draft               Emergency Arch                 October 2004

   elements if there are no entries at that level.  For example, the
   ESRP might find that "" does not exist,
   but that "" features an entry.  The ESRP
   identified in that entry may in turn use the location information to
   route the request to individual communities, without exposing this
   information to the public.  In the extreme case, only a country-level
   ESRP needs to be exposed in DNS.  Thus, each jurisdiction can make
   its own decisions as to whether it wants to use DNS or local
   databases to perform call routing.

   If an emergency call INVITE request does not contain location
   information and no other location hints (such as subscriber identity)
   are available, the first ESRP in the call path SHOULD route it to a
   PSAP or group of PSAPs that is geographically local to that proxy,
   since no other call routing can be performed.

   Jurisdictions organizing PSAPs may choose to implement multiple
   levels of routing based on location.  For example, a state, province
   or county might deploy an ESRP in front of a collection of PSAPs.
   The information available to a VoIP carrier or enterprise ESRP may be
   coarse, so that any location within the state or province gets routed
   to that representative ESRP, with that ESRP performing the detailed
   routing to a specific PSAP.  The routing mechanism used by the ESRP
   may nor may not rely on public information.  Depending on choices
   made by the operator of the PSAP and ESRP, the PSAP may only be
   reachable by SIP requests routed through the ESRP.

6.2  DNS-based Mapping from Civic Coordinates to PSAP URIs

   We define a hierarchy of domain names corresponding to the country
   name and A1 through A6 hierarchy of administrative units (e.g.,
   state, county, and city), as subdomains below  For example,
   the domain designates the town of Leonia
   in Bergen County in the state of New Jersey, United States.  Unless
   the domain is the lowest one in the hierarchy, with no subdomains, it
   contains a PTR resource record pointing to the leaves below it.  For

Schulzrinne & Rosen      Expires April 18, 2005                [Page 13]

Internet-Draft               Emergency Arch                 October 2004         PTR         PTR         PTR         PTR
   ...         PTR         PTR      PTR      PTR      PTR
   ... PTR PTR
   ... IN NAPTR
      NAPTR 100 10 "u" "SOS" "/.*/" .

   PTR records were chosen since they are designed to allow retrieval of
   multiple matching resource records, without doing a zone transfer.

   Street names and their components (XXX in PIDF-LO) are concatenated
   by using a hyphen in the order ....  Empty elements are omitted,
   including the hyphen.

6.3  Updating Location Information

   Location information is needed both for routing the initial INVITE
   message in a call as well as possibly later during a call since
   location information may change or only become available later, after
   the call has reached a PSAP.

   The caller sends UDPATE [RFC3311], either prior to completion of the
   initial INVITE transaction or during the call, to the destination.
   Care must be taken that these requests are routed to the same
   destination as the original call-initiating request.  This is
   unlikely to be a problem for a re-INVITE if the Contact header field
   in the 200 OK indicates the PSAP address.

7.  Signaling of Emergency Calls

   Since emergency calls carry privacy-sensitive information, they are
   subject to the requirements for geospatial protocols.  In particular,
   signaling information MUST be carried in TLS, i.e., in 'sips' mode.

   Details can be found in [I-D.ietf-sipping-location-requirements].

Schulzrinne & Rosen      Expires April 18, 2005                [Page 14]

Internet-Draft               Emergency Arch                 October 2004

8.  Preventing Call Misdirection

   We need to prevent an emergency call reaching a destination other
   than an PSAP.  For example, a rogue UA able to intercept SIP requests
   might be able to impersonate an PSAP.

   In the absence of a globally recognized certificate that ensures that
   the owner is a legitimate PSAP, we rely on a chain of trust enforced
   by the 'sips' URI schema.  The 'sips' URI schema forces each SIP hop
   to route the call only to destinations supporting TLS transport.
   Each ESRP MUST verify that the next-hop destination chosen as
   described in Section 6 corresponds to the server certificate offered
   by that destination.

9.  Including a Valid Call-Back Identifier

   The call taker must be able to reach the emergency caller if the
   original call is disconnected.  In traditional emergency calls,
   wireline and wireless emergency calls include a callback number for
   this purpose.  In SIP systems, the caller SHOULD include a Contact
   header indicating its device URI, if available, or possibly a GRUU
   [I-D.ietf-sip-gruu] if calls need to be routed via a proxy.

10.  Mid-Call Services and Behavior

   If the called PSAP can sign the response, it can include the
   'service' media feature tag in the response to indicate to the
   calling user agent that the call is an emergency call.  The calling
   user agent can then modify its normal behavior to reflect the special
   nature of the call, e.g., to prevent accidental disconnects.  A UA
   MUST NOT modify its behavior unless the call response is
   authenticated, as this could otherwise be used by malicious
   destinations to affect caller UA functionality.

   The PSAP MAY return 403 (Forbidden) in response to a BYE request if
   caller hangs up before the PSAP wants to relinquish the call.

11.  Requirements for SIP Proxy Servers

   All ESRP SHOULD support RFC 3261 [RFC3261] with UDP, TCP, TLS

   User agent servers and proxy servers MUSTNOT require that the user
   agent client be registered or authenticated in order to place an
   emergency call.

   For robustness, ESRPs SHOULD NOT use RFC 1918 [RFC1918] addresses,
   i.e., should not be behind network address translators.

Schulzrinne & Rosen      Expires April 18, 2005                [Page 15]

Internet-Draft               Emergency Arch                 October 2004

12.  Configuration

   SIP devices do not require any additional configuration to place
   emergency calls.  They SHOULD use the local outbound proxy,
   discovered via [RFC3361] or [RFC3319].

   However, to acquire local dial plan numbers, the SIP configuration
   framework [I-D.ietf-sipping-config-framework] can be used.  The
   format for dial plans remains to be defined.  A device may retrieve
   dial plan information for emergency calls from two locations, namely
   the user's home domain and the local outbound proxy, as described in
   Section 3.13 of [I-D.ietf-sipping-config-framework].

   Since a traveling user cannot rely on a DHCP server in the visited
   location to have accurate local emergency number information, we also
   propose a new DNS resource record, EN.  Typically, this resource
   record will be associated with a country-level '' zone, as
   most countries either have or are developing country-wide emergency
   numbers.  These number strings are treated as dial strings
   [I-D.rosen-iptel-dialstring], not "tel" URIs.  TBD:  It might be
   possible to use NAPTR [RFC2915] records to include translations such
   that 112 becomes sos for  NAPTR translations are not
   limited to hostnames or URIs.

   In the example below, the German emergency number for police is
   translated into an 'sos' URI.  This only works if there is a
   designated SIP proxy that can route all emergency calls originating
   in Germany.  There does not appear to be a way to substitute the
   caller's current home AOR domain, although one could conceivably
   adopt a convention for including this information.  Note that this
   mechanism would also allow direct routing based on finer-grained
   location information, e.g., at the city level.
   ;;       order pre flags service        regexp     replacement
   IN NAPTR 100 10 "u" "SOS" "/110/" .
   ;;       order pre flags service        regexp      replacement
   IN NAPTR 100 10 "u" "SOS" "/110/" .

   Example NAPTR records to map dial strings to 'sos' URIs

                                Figure 2

   In addition to the generic mechanism describe above, there may be
   access transport specific mechanisms for downloading this information
   to the user agent.  For example, a 3GPP phone from release 5 onwards

Schulzrinne & Rosen      Expires April 18, 2005                [Page 16]

Internet-Draft               Emergency Arch                 October 2004

   can have emergency number information downloaded from visited network
   entities at network registration time.

13.  Testing

13.1  Testing Mechanism

   Since the emergency calling architecture consists of a number of
   pieces operated by independent entities, it is important to be able
   to test whether an emergency call is likely to succeed without
   actually occupying the human resources at a PSAP.  Both signaling and
   media paths need to be tested since NATs and firewalls may allow the
   session setup request to reach the PSAP, while preventing the
   exchange of media.

   INVITE requests to the user "sos" address and a service indicator of
   sos.test can be used to test if the "sos" address is valid.  As in
   standard SIP, a 200 (OK) response indicates that the address was
   recognized and a 404 (Not found) that it was not.  Such request cause
   no further action.  The response MAY contain a message body
   describing the PSAP that was reached and may automatically.  The test
   server SHOULD echo a limited number of RTP audio packets to test
   media connectivity.

   User agents SHOULD perform a full call test, including media,
   according to Section 13.1 after a disconnect and subsequent change in
   IP address, as the NAT configuration may have changed.

   User agents MUST NOT place a test call immediately after booting, as
   a widespread power outage and subsequent restoration would impose an
   inordinate load on the emergency call routing system.

13.2  Manual Testing

   A compliant user agent implementation MUST have the capability to
   perform the test outlined in Section 13.1 by explicit user request.

13.3  Automatic 'sos' Resolution Testing

   If a user agent does its own call routing, it MUST periodically and
   after every significant location change ascertain that it can still
   resolve its current location to a PSAP address.  It does not actually
   have to generate a SIP request to test emergency calls.

   A significant location change is defined here as a change of one
   degree or more in longitude or latitude or a change in the A1 or A2
   level of civil locations.

Schulzrinne & Rosen      Expires April 18, 2005                [Page 17]

Internet-Draft               Emergency Arch                 October 2004

   The periodic test should be performed every 24 to 48 hours and MUST
   be randomly placed over the testing interval.

14.  Requirements for SIP User Agents

14.1  Emergency call taker

   To increase the likelihood that diverse user equipment can
   successfully communicate with the PSAP, it is recommended that call
   taker equipment has at least the following capabilites:

   Signaling: RFC 3261 [RFC3261], with UDP, TCP and TLS (sips) support.
   Media transport: RTP and RTCP according to RFC 3550 [RFC3550] and RFC
      3551 [RFC3551].  SRTP according to RFC 3711. [RFC3711]
   Audio codecs: G.711, GSM 06.10, DTMF support using RFC 2833
      [RFC2833], with forward error correction (RFC 2733 [RFC2733]).
   Interactive text: using RTP according to RFC 2793bis
   Video: Support H.261, H.263 and H.264 in QCIF, CIF and 4CIF sizes.
   SIP-based instant messaging: RFC 3428 [RFC3428]

14.2  Calling users

   A user agent placing an emergency call SHOULD use the "sips" URI
   schema for all such calls, forcing these calls to use TLS as secure
   hop-by-hop transport.  If a call cannot be established using TLS
   transport, the user agent SHOULD attempt a call using the "sip" URI.

   If a user agent receives a redirect (3xx) response for an emergency
   call, it MUST include the location information contained in that
   response in the outgoing call.  This differs from regular behavior
   for redirects, where the message body is not copied into the new

   User agents MUST support blind transfer using REFER [RFC3515].

   A user agent MUST check the Contact URI in redirect responses to see
   if it is an emergency call, as described in Section 4.  If so, the
   behavior in the previous paragraph applies.

   End systems that allow human users to initiate an emergency call with
   a single button press or other similar stimulus SHOULD require
   callers to confirm their call.

   UAs SHOULD place a "Priority" header with value "emergency" in all
   emergency calls, but its presence cannot be relied upon to identify
   an emergency call.

Schulzrinne & Rosen      Expires April 18, 2005                [Page 18]

Internet-Draft               Emergency Arch                 October 2004

15.  Example Call Flows


16.  Alternatives Considered

   This is a non-normative appendix.  During discussions of emergency
   calling, a number of suggestions are commonly made.  Below, we
   discuss some of the reasons why these alternatives do not satisfy the
   requirements of emergency calling.

16.1  tel URIs

   Instead of providing URIs to call routing proxies or end systems, it
   has been suggested that end systems be configured with a "tel" URI
   [I-D.ietf-iptel-rfc2806bis].  Such a "tel" URI would have to be
   routed to a geographically appropriate telephony gateway, as it is
   unlikely that every building, enterprise or residence will have its
   own gateway.  VoIP devices can be used in networks that are
   completely unaware of VoIP services, with VoIP service providers that
   are physically far removed from the caller's network location.  Thus,
   the use of a tel URI simply moves the problem to the outbound proxy,
   which has to use the caller's location to determine the appropriate
   telephony gateway.

   In addition, emergency telephone numbers are far from universal, with
   some such numbers used for non-emergency purposes elsewhere.  Thus,
   an outbound proxy would have to ascertain the location of the caller
   to guess whether the "tel" URI identifies an emergency call or some
   other number.

   Thus, "tel" URIs are not likely to be appropriate or sufficient for
   identifying emergency calls and do not, by themselves, solve the call
   routing problem.

16.2  DHCP for Configuring the PSAP URI

   One could add emergency calling information to network configuration
   protocols such as DHCP.  A DHCP option could identify the appropriate
   PSAP URI, for example.  This simple approach runs into two problems:
   lack of congruence of DHCP and PSAP serving areas and difficulty of
   DHCP server configuration.

   DHCP servers may provide information to large groups of
   geographically dispersed users, often spanning jurisdictional
   boundaries.  (For example, CATV plants generally do not follow
   community boundaries.)

Schulzrinne & Rosen      Expires April 18, 2005                [Page 19]

Internet-Draft               Emergency Arch                 October 2004

   The DHCP server would also have to be able to determine the
   appropriate URI.  Unless all calls, at least within a country, are
   routed to a single logical proxy and that proxy maintains a national
   jurisdictional database, DCHP serves would have to be manually or
   automatically configured with regional or local PSAP information.
   Since the number of such DHCP servers is large and since authorities
   are unlikely to maintain a mailing list of DHCP server operators, it
   would be up to each owner of such servers to keep up with
   jurisdictional changes.  While such changes are not frequent, they do
   occur, as PSAP jurisdictions are merged or as unincorporated areas
   are merged into neighboring municipalities.

17.  Security Considerations

17.1  Caller Authentication

   To prevent crank calling and to support call back, PSAPs may want to
   authenticate the caller.  If the call is routed via an outbound
   proxy, the outbound proxy may be able to ascertain whether the
   identity provided in the call corresponds at least to the appropriate
   domain.  However, visiting users may legitimately feature a different
   caller identity than the domain of the outbound proxy.  Mechanisms
   such as the authenticated identity body [I-D.ietf-sip-authid-body]
   may be used to assert identities.

   In keeping with established customs in circuit-switched emergency
   calling, authentication cannot be made a pre-requisite for routing or
   accepting an emergency call.  However, a call taker may be more
   suspicious of a caller and request additional information if the call
   authenticity cannot be verified.

17.2  PSAP Impersonation

   See Section 8.

   With DNS-based call routing (Section 6), an attacker could modify the
   DNS entries for one or more PSAPs, re-routing calls destined for
   them.  Thus, the use of secure DNS is RECOMMENDED.

17.3  Call Signaling Integrity

   To prevent a malicious outsider from manipulating call information,
   SIP requests SHOULD be routed via "sips" from caller to emergency
   call taker.

17.4  Media Integrity and Confidentiality

   Media integrity and confidentiality can be assured by the use of

Schulzrinne & Rosen      Expires April 18, 2005                [Page 20]

Internet-Draft               Emergency Arch                 October 2004


17.5  PSAP Hiding

   The issue of hiding PSAP identity has been raised in mailing list
   discussion.  It has been argued that hiding the identity of an PSAP
   confers some protection against denial-of-service attacks, for
   example.  However, it appears that this notion is based on false
   assumptions.  Unless a B2BUA or NAT is involved, media packets will
   carry the IP address of the PSAP (or one of its call takers) and thus
   can be readily used to deduce the address of the PSAP, even if it is
   not advertised in DNS.  (B2BUAs and NATs have known architectural,
   reliability and other operational disadvantages that do not recommend
   their use simply to hide PSAP addresses.)

   Similarly, trying to protect the mapping between geographic location
   and PSAP is similarly difficult.  Unless it is required that all
   location information is verified in real time, which would be close
   to impossible for mobile devices, end systems can simply pretend to
   be in different parts of the city or county and deduce which PSAP is
   answering the call.

18.  Changes Since the Last Version

      Added references to LLDP (IEEE 802.1ab) as a protocol for
      conveying location to end system.
      Changed ECC to PSAP.  ECC is also used by ETSI (ETSI SR 002 180)
      to designate Emergency Control Centers, which dispatch emergency
      assistance.  ETSI uses the term PSAP, so it seemed unnecessary to
      create new terminology.
      The description of location sources has been extended.
      An non-normative section on why DHCP or tel URIs are not
      sufficient has been added.
      Text on testing and preventing call hang-ups has been added.

19.  Acknowledgements

   Keith Drage provided helpful comments.

20.  References

20.1  Normative References

              Hellstrom, G., "RTP Payload for Text Conversation",
              draft-ietf-avt-rfc2793bis-09 (work in progress), August

Schulzrinne & Rosen      Expires April 18, 2005                [Page 21]

Internet-Draft               Emergency Arch                 October 2004

              Schulzrinne, H., "Dynamic Host Configuration Protocol
              (DHCPv4 and DHCPv6) Option for Civic  Addresses
              Configuration Information",
              draft-ietf-geopriv-dhcp-civil-04 (work in progress),
              October 2004.

              Peterson, J., "A Presence-based GEOPRIV Location Object
              Format", draft-ietf-geopriv-pidf-lo-03 (work in progress),
              September 2004.

              Peterson, J., "SIP Authenticated Identity Body (AIB)
              Format", draft-ietf-sip-authid-body-03 (work in progress),
              May 2004.

              Rosenberg, J., "Indicating User Agent Capabilities in the
              Session Initiation Protocol  (SIP)",
              draft-ietf-sip-callee-caps-03 (work in progress), January

              Rosenberg, J., Schulzrinne, H. and P. Kyzivat, "Caller
              Preferences for the Session Initiation Protocol (SIP)",
              draft-ietf-sip-callerprefs-10 (work in progress), October

              Rosenberg, J., "Obtaining and Using Globally Routable User
              Agent (UA) URIs (GRUU) in the  Session Initiation Protocol
              (SIP)", draft-ietf-sip-gruu-02 (work in progress), July

              Petrie, D., "A Framework for Session Initiation Protocol
              User Agent Profile Delivery",
              draft-ietf-sipping-config-framework-04 (work in progress),
              July 2004.

              Polk, J., "Requirements for Session Initiation Protocol
              Location Conveyance",
              draft-ietf-sipping-location-requirements-01 (work in
              progress), July 2004.


Schulzrinne & Rosen      Expires April 18, 2005                [Page 22]

Internet-Draft               Emergency Arch                 October 2004

              Schulzrinne, H., "Emergency Services URI for the Session
              Initiation Protocol", draft-ietf-sipping-sos-00 (work in
              progress), February 2004.

              Rosen, B., "Emergency Call Information in the Domain Name
              System", draft-rosen-dns-sos-01 (work in progress), July

              Rosen, B., "Dialstring parameter for the sip URI",
              draft-rosen-iptel-dialstring-00 (work in progress), June

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2733]  Rosenberg, J. and H. Schulzrinne, "An RTP Payload Format
              for Generic Forward Error Correction", RFC 2733, December

   [RFC2793]  Hellstrom, G., "RTP Payload for Text Conversation", RFC
              2793, May 2000.

   [RFC2833]  Schulzrinne, H. and S. Petrack, "RTP Payload for DTMF
              Digits, Telephony Tones and Telephony Signals", RFC 2833,
              May 2000.

   [RFC2915]  Mealling, M. and R. Daniel, "The Naming Authority Pointer
              (NAPTR) DNS Resource Record", RFC 2915, September 2000.

   [RFC3261]  Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
              A., Peterson, J., Sparks, R., Handley, M. and E. Schooler,
              "SIP: Session Initiation Protocol", RFC 3261, June 2002.

   [RFC3264]  Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Model
              with Session Description Protocol (SDP)", RFC 3264, June

   [RFC3265]  Roach, A., "Session Initiation Protocol (SIP)-Specific
              Event Notification", RFC 3265, June 2002.

   [RFC3311]  Rosenberg, J., "The Session Initiation Protocol (SIP)
              UPDATE Method", RFC 3311, October 2002.

   [RFC3319]  Schulzrinne, H. and B. Volz, "Dynamic Host Configuration
              Protocol (DHCPv6) Options for Session Initiation Protocol
              (SIP) Servers", RFC 3319, July 2003.

Schulzrinne & Rosen      Expires April 18, 2005                [Page 23]

Internet-Draft               Emergency Arch                 October 2004

   [RFC3361]  Schulzrinne, H., "Dynamic Host Configuration Protocol
              (DHCP-for-IPv4) Option for Session Initiation Protocol
              (SIP) Servers", RFC 3361, August 2002.

   [RFC3428]  Campbell, B., Rosenberg, J., Schulzrinne, H., Huitema, C.
              and D. Gurle, "Session Initiation Protocol (SIP) Extension
              for Instant Messaging", RFC 3428, December 2002.

   [RFC3515]  Sparks, R., "The Session Initiation Protocol (SIP) Refer
              Method", RFC 3515, April 2003.

   [RFC3550]  Schulzrinne, H., Casner, S., Frederick, R. and V.
              Jacobson, "RTP: A Transport Protocol for Real-Time
              Applications", STD 64, RFC 3550, July 2003.

   [RFC3551]  Schulzrinne, H. and S. Casner, "RTP Profile for Audio and
              Video Conferences with Minimal Control", STD 65, RFC 3551,
              July 2003.

   [RFC3711]  Baugher, M., McGrew, D., Naslund, M., Carrara, E. and K.
              Norrman, "The Secure Real-time Transport Protocol (SRTP)",
              RFC 3711, March 2004.

   [RFC3825]  Polk, J., Schnizlein, J. and M. Linsner, "Dynamic Host
              Configuration Protocol Option for Coordinate-based
              Location Configuration Information", RFC 3825, July 2004.

   [RFC3856]  Rosenberg, J., "A Presence Event Package for the Session
              Initiation Protocol (SIP)", RFC 3856, August 2004.

20.2  Informative References

              Schulzrinne, H., "The tel URI for Telephone Numbers",
              draft-ietf-iptel-rfc2806bis-09 (work in progress), June

   [RFC1918]  Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G. and
              E. Lear, "Address Allocation for Private Internets", BCP
              5, RFC 1918, February 1996.

Schulzrinne & Rosen      Expires April 18, 2005                [Page 24]

Internet-Draft               Emergency Arch                 October 2004

Authors' Addresses

   Henning Schulzrinne
   Columbia University
   Department of Computer Science
   450 Computer Science Building
   New York, NY  10027

   Phone: +1 212 939 7042

   Brian Rosen
   2000 Marconi Drive
   Warrendale, PA  15086


Schulzrinne & Rosen      Expires April 18, 2005                [Page 25]

Internet-Draft               Emergency Arch                 October 2004

Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at

Disclaimer of Validity

   This document and the information contained herein are provided on an

Copyright Statement

   Copyright (C) The Internet Society (2004).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.


   Funding for the RFC Editor function is currently provided by the
   Internet Society.

Schulzrinne & Rosen      Expires April 18, 2005                [Page 26]