ECRIT H. Tschofenig
Internet-Draft Siemens
Expires: January 19, 2006 H. Schulzrinne
Columbia U.
M. Shanmugam
TUHH
July 18, 2005
Security Threats and Requirements for Emergency Calling
draft-tschofenig-ecrit-security-threats-01.txt
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 19, 2006.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
With the increasing interest to replace parts of the public switched
telephone network (PSTN) with the IP-based network, the core
functionality of PSTN such as emergency services, has to be offered
when using IP-based technologies. Since the PSTN and the Internet
follow different design principles their architecture is quite
Tschofenig, et al. Expires January 19, 2006 [Page 1]
Internet-Draft Threats and Req. for Emergency July 2005
different. This fact has to be considered and security threats for
an IP-based emergency environment have to be re-evaluated. This
document investigates the potential threats against the IP based
emergency architecture. It focuses on some analysis of threats for
both the end hosts and the infrastructure that aims to support
emergency services.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Motivations of Attackers of ECRIT . . . . . . . . . . . . . 5
4. Basic Actors . . . . . . . . . . . . . . . . . . . . . . . . 6
5. Security Threats . . . . . . . . . . . . . . . . . . . . . . 9
5.1 Denial of Service Attacks . . . . . . . . . . . . . . . . 9
5.2 Call Identity Spoofing . . . . . . . . . . . . . . . . . . 9
5.3 Location Spoofing . . . . . . . . . . . . . . . . . . . . 10
5.4 Impersonating a PSAP . . . . . . . . . . . . . . . . . . . 10
5.5 Signaling Message Modification . . . . . . . . . . . . . . 11
5.6 Modification of the Emergency Call . . . . . . . . . . . . 11
5.7 Loss of confidentiality . . . . . . . . . . . . . . . . . 11
5.8 Replay Attack . . . . . . . . . . . . . . . . . . . . . . 11
5.9 Corrupting Configuration Information . . . . . . . . . . . 12
5.10 Corrupting Database Information . . . . . . . . . . . . 12
6. Security Requirements . . . . . . . . . . . . . . . . . . . 13
6.1 Denial of Service Attacks . . . . . . . . . . . . . . . . 13
6.2 Call Identity Spoofing . . . . . . . . . . . . . . . . . . 14
6.3 Location Spoofing . . . . . . . . . . . . . . . . . . . . 14
6.4 Impersonating a PSAP . . . . . . . . . . . . . . . . . . . 16
6.5 Signaling Message Modification . . . . . . . . . . . . . . 16
6.6 Replay Attack . . . . . . . . . . . . . . . . . . . . . . 17
6.7 Loss of confidentiality . . . . . . . . . . . . . . . . . 17
6.8 Modification of the Emergency Call . . . . . . . . . . . . 17
6.9 Corrupting Configuration Information . . . . . . . . . . . 17
6.10 Corrupting Database Information . . . . . . . . . . . . 18
6.11 Location Validation and Verification . . . . . . . . . . 18
7. Security Considerations . . . . . . . . . . . . . . . . . . 20
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . 21
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 22
9.1 Normative References . . . . . . . . . . . . . . . . . . . 22
9.2 Informative References . . . . . . . . . . . . . . . . . . 22
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 22
Intellectual Property and Copyright Statements . . . . . . . 23
Tschofenig, et al. Expires January 19, 2006 [Page 2]
Internet-Draft Threats and Req. for Emergency July 2005
1. Introduction
This document provides an overview of security mechanisms and
motivations for using them in the VoIP-based emergency services.
PSTN users can summon help for emergency services such as ambulance,
fire and police using a well known unique number (e.g., 911 in North
America, 112 in in Europe). With the introduction of IP-based
telephony support for emergency service also has to be provided. A
number of protocols and protocol extensions need to interwork in
order to provide emergency functionality.
Since the Internet is hostile place, it is important to understand
the security threats for emergency services. Otherwise, an adversary
can use the infrastructure to place fraudulent calls, mount denial of
service attacks, etc.
This document focuses on the security threats and security
requirements for the IP-based emergency service infrastructure only
without interaction with PSTN infrastructure elements.
A few discussions within this document are related to emergency
handling but solutions will not be developed as part of the ECRIT
working group. Hence, the are included mainly for completeness and
to point to the need to investigate additional aspects. Depending on
the chosen protocols (for the emergency call itself, for directory
access related to emergency call routing, for obtaining location
information from the network, etc.) various solutions might also
already be available to fulfill these security requirements and to
address the threats appropriately.
This document is organized as follows: Section 2 describes basic
terminology, Section 5 illustrates security threats and Section 6
lists security requirements.
Tschofenig, et al. Expires January 19, 2006 [Page 3]
Internet-Draft Threats and Req. for Emergency July 2005
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Emergency Caller, Public Safety Answering Point (PSAP), Access
Infrastructure Provider, Application (Voice) Service Provider,
Emergency Call Taker, etc. is taken from [I-D.schulzrinne-ecrit-
requirements].
Additionally, we use the following terms throughout the document:
Emergency Call Routing Support: This term refers to entities that
route the emergency call to the appropriate PSAP based on
information like location information, language, etc. If SIP is
used as a protocol for session setup and call routing, for
example, then this entity would correspond to a SIP proxy.
Directory: This entity refers to a distributed directory protocol.
DNS is one example of such as distributed directory but there are
other protocols that might fulfill the requirements listed in
[I-D.schulzrinne-ecrit-requirements] for such a protocol.
Asserted Location Information: The term asserted location information
refers to the property that the recipient of such an object is
able to verify that it was generated by a particular party that is
authorized todo so.
Tschofenig, et al. Expires January 19, 2006 [Page 4]
Internet-Draft Threats and Req. for Emergency July 2005
3. Motivations of Attackers of ECRIT
The most obvious motivation for an attacker, in the context of
emergency, is to hinder user(s) not to avail the emergency service.
This can be done by variety of means such as impersonating a PSAP,
directory server, forging or spoofing location, identity etc.,
However,there are several other potential motivations that cause
concern. Attackers might also wish to learn the nature emergency
information by eavesdropping an emergency call in order to reuse or
extract the relevant information that might cause potential problems
to the end hosts such as replay attacks, revealing the identity of
the user.
Attackers may want to prevent or delay an emergency caller by
modifying some information in the message typically modifying the
loation of the caller, while placing the emergency call. In some
cases, this will lead the emergency repsonders to dispatch the
services to the spoofed ara and might not be available to the other
callers. It might also be possible for an attacker to impede the
users not to reach an appropriate PSAP by corrupting or modifying the
location of an end host or the information returned from the mapping
protocol. Since the regulatory aspects of the emergency call often
does not manadate authentication of the caller, it is easy for an
attacker to forge some data(location information) to an PSAP, thereby
forcing the emergency responders to dispatch the services, which
might cause a denial of service to its legitimate users.
Finally, some attackers may simply want to halt the operation of an
entire emergency architecture through denial-of-service attacks.
Tschofenig, et al. Expires January 19, 2006 [Page 5]
Internet-Draft Threats and Req. for Emergency July 2005
4. Basic Actors
In order to support emergency services covering a large physical area
various infrastructure elements are necessary: Access Infrastructure
Providers, Application (Voice) Service Provider, PSAPs as endpoints
for emergency calls, directory services or other infrastructure
elements that assist in during the call routing and potentially many
other entities.
This section outlines which entities will be considered in the threat
analysis and shows the high level architecture.
Location
Information +-----------------+
|(1) |Access | +-----------+
v |Infrastructure | | |
+-----------+ |Provider | | Directory |
| | | (3) | | |
| Emergency |<---+-----------------+-->| |
| Caller | | (2) | +-----------+
| |<---+-------+ | ^
+-----------+ | +----|---------+------+ |
^ | | Location | | |
| | | Information<-+ | |
| +--+--------------+ |(8) | | (5)
| | +-----------v+ | |
| (4) | |Emergency | | |
+--------------+--->|Call Routing|<--+---+
| | |Support | |
| | +------------+ |
| | ^ |
| | (6) | +----+--+
| (7) | +------->| |
+--------------+--------------->| PSAP |
| | |
|Application +----+--+
|(Voice) |
|Service |
|Provider |
+---------------------+
Figure 1: Framework
Figure 1 shows the interaction between the entities involved in the
call. There are a number of different deployment choices, as it can
be easily seen from the figure. The following deployment choices
need to be highlighted:
Tschofenig, et al. Expires January 19, 2006 [Page 6]
Internet-Draft Threats and Req. for Emergency July 2005
o How is location information provided to the end host? It might
either be known to the end host itself (due to manual
configuration or provided via GPS) or available via a third party.
Even if location information is known to the network it might be
made available to the end host. Alternatively, location
information is used as part of call routing and inserted by
intermediaries.
o Is the Access Infrastructure Provider also the Application (Voice)
Service Provider? In the Internet today these roles are typically
provided by different entities. As a consequence, the Application
(Voice) Service Provider is typically not able to learn the
physical location of the Emergency Caller.
Please note that the overlapping squares aim to indicate that certain
functionality can be collapsed into a single entity. As an example,
the Application (Voice) Service Provider might be the same entity as
the Access Infrastructure Provider and they might also operate the
PSAP. There is, however, no requirement that this must be the case.
Additionally it is worth pointing out that end systems might be its
own VoSP, e.g., for enterprises or residential users.
Below, we describe various interactions between the entities shown in
Figure 1 are described:
o (1) Location information might be available to the end host
itself.
o (2) Location information might, however, also be obtained from the
Access Infrastructure Provider (e.g., using DHCP or application
layer signaling protocols).
o (3) The Emergency Caller might need to consult a directory to
determine the PSAP that is appropriate for the physical location
of the emergency caller (and considering other attributes such as
a certain language support by the Emergency Call Takers).
o (4) The Emergency Caller might get assistance for emergency call
routing by infrastructure elements (referred as Emergency Call
Routing Support entities). In case of SIP these enities are
proxies.
o (5) Individual Emergency Call Routing Support entities might need
to consult a directory to determine where to route the emergency
call.
o (6) The Emergency Call Routing Support entities need to finally
forward the call, if infrastructure based emergency call routing
Tschofenig, et al. Expires January 19, 2006 [Page 7]
Internet-Draft Threats and Req. for Emergency July 2005
is used.
o (7) The emergency caller might interact directly with the PSAP
without any Emergency Call Routing Support entities.
Tschofenig, et al. Expires January 19, 2006 [Page 8]
Internet-Draft Threats and Req. for Emergency July 2005
5. Security Threats
This section discusses various security threats related to emergency
call handling.
5.1 Denial of Service Attacks
A (distributed) denial-of-service attack (DoS attack) on a PSAP, for
example, might isolate the PSAP from the Internet, for a while, thus
unable to receive the emergency calls at that time. Since a
particular PSAP is responsible for a certain geopraphical boundary,
attacking a single PSAP means denying the service to the entire area
(if no other backup PSAP is available). DoS attacks might appear in
many different flavors ranging from standard SYN floodings to attacks
where a human operator is involved then he has to determine whether
a call is in fact a true emergency call. In some cases this might
lead the case where the emergency staff (police, ambulance, etc.,)
might need to rush to the indicated emergency scene (potentionally an
arbitrary location) and will therefore not be available for other
rescue assignments during that time.
As such, PSAPs can be seen as a particularly valuable target since
the consequences of an unreachable PSAP has severe consequences.
Attacks against the routing infrastructure enables an adversary to
prevent all nodes attached to this network to sent emergency calls.
Attacks against entities that assist in the call routing (such as
attacks against the directory service) might make it difficult or
impossible for emergency call to reach its intended PSAP.
5.2 Call Identity Spoofing
If an adversary is able to make emergency calls without the need to
disclose its identity (such as a SIP URI or NAI) then prank calls
cannot be traced back. If the call is proxy-routed, the PSAP will
not see the IP address of the caller in signaling. Additionally, it
might be necessary for the Emergency Call Taker to initiate a voice,
video or instant messaging exchange towards the Emergency Caller.
Trying to find an adversary that placed a crank call is difficult if
somebody uses an open 802.11 access point, even if you can find the
owner of that access point. This problem is no different than
somebody placing an emergency call from a payphone.
If the adversary is never authenticated (neither to the PSAP nor to
the Access Infrastructure Provider) then it is possible to trace the
call back to a make a particular entity accountable.
Tschofenig, et al. Expires January 19, 2006 [Page 9]
Internet-Draft Threats and Req. for Emergency July 2005
A standard requirement for emergency systems is that emergency calls
must also be placed in absence of any authentication. An adversary
will typically exploit these weaknesses and he will always find
networks that do not perform network access authentication of the
user prior to providing network access. As such, the emergency
infrastructure cannot neither rely on network access authentication
nor on authentication of the caller towards the PSAP or the
Application (Voice) Service Provider.
It is necessary to point to the fact that authentication in the
emergency case might require the authorization procedure to be
skipped. For example, in an emergency case it is still possible to
authenticate the user of an emergency call but without considering
that its credits are exhausted.
5.3 Location Spoofing
An adversary might want to made-up faked location information in
order to fool the emergency personnel. This is made particularly
easy if the location information is provided by the Emergency Caller
either via manual configuration or via GPS. Spoofing is more
difficult if an entity proving Emergency Call Routing Support inserts
location information into emergency call signaling. In this case the
adversary needs to route the call via some intermediaries. This is
possible since these devices are often, by their nature as IP
devices, addressable from an arbitary physical location. The usage
of VPN (or other tunneling mechanisms) and proxies further
complicates the ability to infer the physical location from the IP
address seen by the PSAP.
5.4 Impersonating a PSAP
An adversary might pretend to operate a PSAP. When either an end
host or an intermediate device wants to determine the PSAP that is
responsible for a particular geographical area by sending a query to
the directory an adversary might return a faked response. Returning
an incorrect response message does not require the adversary to be
somewhere along the path. It is sufficient for an adversary to be
located in a broadcast medium and the adversary has to reply as soon
as a query is observed (if no security protection is utilized). If
the response indicates a legitimate but inappropriate (i.e., a PSAP
that is authoritive for a different geographical area) then the
emergency call interaction will be able to continue but will suffer
from delays until the emergency call can be forwarded to the correct
PSAP, potentially involving human interaction (by the Emergency Call
Taker).
Tschofenig, et al. Expires January 19, 2006 [Page 10]
Internet-Draft Threats and Req. for Emergency July 2005
5.5 Signaling Message Modification
An adversary that is located along the signaling path might modify
the content of emergency calls, such as location information or
identity information. This might lead to a denial of service attack
against the emergency personell, disruption of the emergency call,
delayed call setup, etc.
An adversary might want to inject signaling messages to terminate or
redirect the call to another location. Dropping or delaying
signaling messages is also possible for an on-path adversary.
Depending on the capability of the signaling protocol the range of
possible attacks might have been documented already.
5.6 Modification of the Emergency Call
An adversary along the media path might want to modify the data
traffic part of the emergency call (voice, video or instant message).
An attacker can change the message on-the-fly and fool the PSAP to
receive meaningless or bogus messages. The response messages to
Emergency Caller might also be subject to change, for example by
injecting a recorded failure message.
5.7 Loss of confidentiality
An adversary might eavesdrop an emergency call and use the
information to future sessions as part of replay attacks. The
ability to eavesdrop also allows to learn details about the emergency
situation which might be of interest for the press or other media
organizations. Please note that the location of the adversary is
important regarding the eavesdropped area. For example, an adversary
in a WLAN is typically able to see a small amount of traffic due to
the coverage area of typical WLAN network.
Reavealing the true identity of the user as part of the privacy
override mechanism might conflict with the users privacy settings.
5.8 Replay Attack
An adversary might want to use eavesdropped information to mount
attacks in the future. This might be necessary if information cannot
be re-created by the adversary (for example, asserted location
information). The ability to replay messages or individual objects
the specific property of these messages and objects is important.
For example, asserted location information might bind location
information and a timestamp with a digital signature together that
makes it difficult to reuse this object beyonds its lifetime.
Tschofenig, et al. Expires January 19, 2006 [Page 11]
Internet-Draft Threats and Req. for Emergency July 2005
[Editor's Note: It is sometimes hard to tell what are real threats
and what security threats are addressed already by certain solutions
outside the scope of the working group. Addressing all standard
security threats is a long process if certain mechanisms are required
in an case that largely or completely mitigate against these
threats.]
5.9 Corrupting Configuration Information
An adversary might override all locally configured emergency numbers.
This might be particular problematic if these emergency numbers are
dynamically retrieved using some mechanisms. As such, an Emergency
Caller would start a call that either leads to a blackhole (as such
it is a DoS attack), the Emergency Caller connects to a rogue PSAP or
to an inappropriate PSAP.
5.10 Corrupting Database Information
An attacker might want to provide emergency callers with wrong
information about emergency service contact URIs. An adversary can
accomplish this goal in various ways, including message modification,
spoofing or corrupting the database. Since the database provides a
pointer(e.g., SIP URI) to an appropriate PSAP, care must be taken
when retrieving emergency URI. A succesfull forging will lead the
user to reach either a false PSAP or to a black hole.
Tschofenig, et al. Expires January 19, 2006 [Page 12]
Internet-Draft Threats and Req. for Emergency July 2005
6. Security Requirements
[Editor's Note: A few requirements below are already addressed by a
number of requirements and solution specific documents today. In
order to keep the document short it would be reasonable to focus only
on the difficult security threats and requiremens for emergency calls
rather than enumerating everything that could happen to an emergency
call. The working group should decide how to proceed with this
particular issue and what threats and requirements should be
elaborated in more detail.]
Compiling security requirements to address the threats listed in the
previous section might is impacted by several constraints:
Security mechanisms may lead to a certain performance overhead
(e.g., several roundtrips).
A certain security infrastructure is required that might lead to
deployment problems. For example, end user certificates,
certificates for networks, usage of authorization certificate,
etc. might need to be deployed before any of these mechanisms are
useful.
Many of these aspects are related to regulatory and legal
requirements that may vary from country to country. Typically,
these mechanisms cannot be mandated by an IETF specification.
Some of the requirements impose solutions that are out-of-scope of
the ECRIT working group.
Given the above-listed constraints the requirements that have to be
addressed by work that is done within ECRIT have to be highlighted.
Other requirements have to be read as 'if you would like to address
this threat, then you might want to consider this requirement' rather
than 'any solution must address fulfill this requirement'.
6.1 Denial of Service Attacks
It is difficult to address all possible denial of service attacks
that might lead to disruption of an emergency call since a number of
IETF protocols are used in order to provide this functionality.
Hence, care must be taken when protocol extensions are developed that
the chance for a denial of service attack is not increased. Even
without using any security mechanisms (such as authentication and key
exchange protocols) some degree of security has to be provided.
It is important to understand that the ability to mount DoS attacks
must also be considered as part of the architecture work when legal
Tschofenig, et al. Expires January 19, 2006 [Page 13]
Internet-Draft Threats and Req. for Emergency July 2005
and regulatory requirements are known and need to be fulfilled.
6.2 Call Identity Spoofing
A standard requirement to prevent identity spoofing is to
authenticate the Emergency Caller. Authentication mechanisms that
require multiple roundtrips and as such might delay the call are
often not desirable or cannot be mandated.
6.3 Location Spoofing
An Emergency Caller might in many cases know its own location
information because it was obtained via civic or geospatial location
extensions for DHCP, via manual configuration or via GPS.
Unfortunately, information provided by the end host is untrustworthy
particularly when it is as important as location information. Two
approaches have been discussed in the past that place lead to a few
requirements:
o Location Information is asserted by the Access Infrastructure
Provider. As such, the end host might use GPS but uses a protocol
to allow the network to assert the location information. This
approach also has its limitations if the coverage area of the
wireless network is fairly large.
o Location Information is added to the emergency call via an
Emergency Call Routing Support entity. Depending on the protocol
used for call routing and on the properties of this protocol it
might be necessary to return the asserted location information to
the end host since intermediate nodes might not be allowed to
insert objects into the call setup messages (at least not in all
parts of the messages, such as bodies). These signaling entities,
in general, do not know the physiscal location of the user. Thus,
they have to rely on somebody else to actually provide the
location, e.g., the Access Infrastructure Provider.
As it can be seen from these two options the main difference is based
on the type of protocol that is used in the message communication.
This has an impact on the semantic and on the availability of certain
attributes (such as identities that are used by these protocols) and
on deployment constraints. Based on the observation that the Access
Infrastructure Provider is closest to the end host and is therefore
the most likely entity that knows something about the physical
location of the end host it seems to be reasonable to assume that
some entity that asserts the location information is actually
available in this particular network.
In the context of emergency, spoofing can be loosely divided into
Tschofenig, et al. Expires January 19, 2006 [Page 14]
Internet-Draft Threats and Req. for Emergency July 2005
o wide-area spoofing - users pretend to be in Germany but actually
in US.
o local-area spoofing - users spoof location information to an
extend (few miles).
o local-area cloning - users pretend to be in place X if they were
actually there, a while ago.
The following requirements need to be provided in order for asserted
location information to accomplish its goals:
o Location Information MUST be integrity protected to prevent
modifications by third parties.
o The recipient of the asserted location information object MUST be
able to determine the party that asserted the location information
in order to verify the assertion. As such, authentication of the
asserting party (the entity that created the assertion) MUST be
provided.
o The asserted location information MUST include a timestamp to
limit its validity in order to reduce replay attacks.
o The recipient of the asserted location information MUST have a way
to verify that the asserting party is indeed authorized to create
such an assertion. As such, authentication is insufficient if not
further authorization decision can be associated to the
authenticated identity.
o The recipient of the asserted location information SHOULD have a
mechanism to determine the Emergency Caller based on the provided
assertion.
The last bullet deserves further discussion: If some information
about the Emergency Caller identity has to be included, which is only
for the purpose of traceability then this functionality might not be
of general use. This is because an adversary will always find
networks that do not authenticate the user prior to providing network
access. Furthermore, the goal of a number of network access
authentication protocols is to prevent disclosure of the user
identity to entities other than to the user's home network. Note
that the term 'user idenity' does not require that this identity
directly points to the 'real' identity of a user. A court might want
to require this identity to be resolved and to determine the user
behind this identity. Even if the access network would like to
assertain the user's identity as part of the asserted location
information it is, in many cases, not even possible for the Access
Tschofenig, et al. Expires January 19, 2006 [Page 15]
Internet-Draft Threats and Req. for Emergency July 2005
Infrastructure Provider.
If the authenticated user identity is not available to the Access
Infrastructure Provider then only a few other identities might be
useful, such as the IP address or the MAC address. Other identities,
such as the Host Identity, might not be available since they are only
used by very few protocols. An assertion that indicates the network
in combination with the IP and/or MAC address (together with a
timestamp) might provide some limited degree of traceability only if
the user was authenticated directly to this particular network.
Providing the IP address allows some obvious attempts to cheat to be
caught. Hence, there is the question whether some identity should be
added at all given the potential limitations and the potential small
amounts of cut-and-paste attacks. Using end user based
authentication in addition to the asserted location information would
be helpful (e.g., using end user certificates) but will impose a
serious deployment problem. Given the fact that emergency calls must
still be allowed even without end user authentication certainly
defeats the purpose of these mechanisms. A partical attempt to
address some prank calls is to classify emergency calls based on the
availability of the provided attributes. If suspicious information
is being provided that may well be wrong then additional verification
steps need to be taken. For example, if a report of a large fire on
a Manhattan street is received then the PSAP may wait to dispatch
until it gets a second person to call in. This approach obviously
has some limitations as well.
6.4 Impersonating a PSAP
The Emergency Caller SHOULD be able to determine conclusively that he
has reached an accredited emergency call center. This requirement is
meant to address the threat that a rogue, possibly criminal, entity
pretends to accept emergency calls and disrupts the emergency
infrastructure.
o A user agent must be able to authenticate a PSAP.
Unlike in the PSTN case IP based networks provide a better
opportunity to spoof a PSAP since physical access to the cable plant
is required in the PSTN case, while this may not true for the IP
case.
6.5 Signaling Message Modification
To protect signaling messages against modifications either individual
attributes SHOULD be protected (such as location objects) or the
entire signaling message communication SHOULD experience end-to-end
protection. This requires integrity and replay protection to be
Tschofenig, et al. Expires January 19, 2006 [Page 16]
Internet-Draft Threats and Req. for Emergency July 2005
applied. Authentication of the data sender and the data receiver
SHOULD be provided to prevent a man-in-the-middle attack.
6.6 Replay Attack
In order to protect signaling messages (or individual attributes) to
be replayed in future protocol sessions integrity and replay
protection mechanisms SHOULD be provided.
6.7 Loss of confidentiality
In order to prevent leakage of information exchanged during the
emergency call (both signaling and data traffic) confidentiality
protection SHOULD be provided. The mechanisms to accomplish this
functionality are typically different for the data traffic and for
the signaling messages and various scenarios, such as hop-by-hop,
end-to-middle, middle-to-middle and end-to-end security, need to be
considered. Particularly the key management aspects for end-to-end
security mechansisms imposes a deployment burden and hence need to be
critically analysed in order to determine its applicability in the
given context.
6.8 Modification of the Emergency Call
To protect a man-in-the-middle attack i.e disallow the adversary to
modify or to inject data traffic into the communication between the
Emergency Caller and the PSAP, the mechanisms like integrity, replay
and data origin authentication SHOULD be provided. Since the
signaling messages are used to authenticate the end points and to
distribute the required keying material it is necessary that either
the key exchange protocol itself and the signaling messages
experience appropriate security protection. The term 'appropriate'
refers to the given context, the used signaling protocol and the key
exchange protocol.
Please note that the interactive nature of a voice communication
already provides a some degree of protection. However, with the
introduction of instant messaging the freshness of the Emergency Call
needs to be provided by other means.
6.9 Corrupting Configuration Information
Devices SHOULD be assured of the correctness of the local emergency
numbers that are automatically configured. If we assume a fixed,
global emergency service identifier that requires no configuration
and only configure local "traditional" emergency numbers, users are
not likely to suddenly dial some random number if a rogue
configuration server introduces this as an additional emergency
Tschofenig, et al. Expires January 19, 2006 [Page 17]
Internet-Draft Threats and Req. for Emergency July 2005
number. The ability to override all locally configured emergency
number is of more concern. If the Emergency Caller does not use the
infrastructure to route the call to the appropriate PSAP then the
security of the directory service is of importance for security.
6.10 Corrupting Database Information
If the mapping client i.e., the entity that requests location
information using a mapping protocol accepts the emergency contact
information from an unauthenticated mapping server i.e., the entity
that provides location information, it is highly possible to receive
bogus or prank emergency contact URIs. Particularly the caching
properties of a distributed directory might be exploited. To ensure
the secure retrieval of information, the following properties are
assumed:
o The maping client MUST be able to authenticate the mapping server.
o The interaction between the mapping client and the mapping server
MUST be integrity and replay protected.
o The mapping server MUST be provide data origin authentication
thereby ensuring that the provided data items are indeed from the
claimed source.
o The mapping server MUST provide information to ensure that it is
authoritive for the provided information.
6.11 Location Validation and Verification
location validation ensures that an address exists and is mappable to
a PSAP. A valid address, however, does not imply that the call
actually originated from that location. We refer to location
verification as the assurance that the call was placed at the
location claimed, including any error margins provided.
Verifying a location is generally more difficult than location
validation as there is currently no generally trusted service that
can vouch for the location of the caller. In some cases, AIPs or
ISPs may be able to indicate the location of the caller with high
confidence and they may possess cryptographic certificates that are
trusted by the PSAP. This may not require a global certification
authority (CA), as a regional PSAP typically only deals with a modest
number of larger enterprises and thus could obtain their public keys
even if self-signed.
However, even if the AIP or ISP provides a signed location, it is
Tschofenig, et al. Expires January 19, 2006 [Page 18]
Internet-Draft Threats and Req. for Emergency July 2005
difficult to ensure that such a signed location object is only used
for calls from that location, as it will have to be copied from a
location delivery protocol to the call signaling protocol. For
example, a third party could obtain such a signed location object and
use it elsewhere. Naturally, timestamps will restrict such usage to
the order of minutes or hours, depending on how often location
information is updated. A PSAP may want to be able to answer the
following questions:
o Who originally provided this particular location information?
o Did the call originate from that particular geospatial or civic
address and who says so and how do they know?
Tschofenig, et al. Expires January 19, 2006 [Page 19]
Internet-Draft Threats and Req. for Emergency July 2005
7. Security Considerations
This document addresses security threats and security requirements.
Therefore, security is considered throughout this document.
Tschofenig, et al. Expires January 19, 2006 [Page 20]
Internet-Draft Threats and Req. for Emergency July 2005
8. IANA Considerations
This document does not require actions by the IANA.
Tschofenig, et al. Expires January 19, 2006 [Page 21]
Internet-Draft Threats and Req. for Emergency July 2005
9. References
9.1 Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", March 1997.
9.2 Informative References
[I-D.schulzrinne-ecrit-requirements]
Schulzrinne, H. and R. Marshall, "Requirements for
Emergency Context Resolution with Internet Technologies",
May 2005.
Authors' Addresses
Hannes Tschofenig
Siemens
Otto-Hahn-Ring 6
Munich, Bayern 81739
Germany
Email: Hannes.Tschofenig@siemens.com
Henning Schulzrinne
Columbia University
Department of Computer Science
450 Computer Science Building
New York, NY 10027
USA
Phone: +1 212 939 7042
Email: schulzrinne@cs.columbia.edu
URI: http://www.cs.columbia.edu/~hgs
Murugaraj Shanmugam
Technische Universitat Hamburg-Harburg
Department of Security in Distributed applications
Harburger Schlossstrasse 20
Hamburg-Harburg 21079
Germany
Email: murugaraj.shanmugam@tuhh.de
Tschofenig, et al. Expires January 19, 2006 [Page 22]
Internet-Draft Threats and Req. for Emergency July 2005
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2005). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Tschofenig, et al. Expires January 19, 2006 [Page 23]