draft-ietf-ecrit-trustworthy-location-06.txt   draft-ietf-ecrit-trustworthy-location-07.txt 
ECRIT Working Group H. Tschofenig ECRIT Working Group H. Tschofenig
INTERNET-DRAFT Nokia Siemens Networks INTERNET-DRAFT Nokia Siemens Networks
Category: Informational H. Schulzrinne Category: Informational H. Schulzrinne
Expires: January 14, 2014 Columbia University Expires: February 14, 2014 Columbia University
B. Aboba (ed.) B. Aboba (ed.)
Skype Skype
15 July 2013 30 July 2013
Trustworthy Location Trustworthy Location
draft-ietf-ecrit-trustworthy-location-06.txt draft-ietf-ecrit-trustworthy-location-07.txt
Abstract Abstract
For some location-based applications, such as emergency calling or For some location-based applications, such as emergency calling or
roadside assistance, the trustworthiness of location information is roadside assistance, the trustworthiness of location information is
critically important. critically important.
This document describes how to convey location in a manner that is This document describes how to convey location in a manner that is
inherently secure and reliable. It also provides guidelines for inherently secure and reliable. It also provides guidelines for
assessing the trustworthiness of location information. assessing the trustworthiness of location information.
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 14, 2014. This Internet-Draft will expire on February 14, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 4, line 49 skipping to change at page 4, line 49
for a Location-by-Reference Mechanism" [RFC5808]. for a Location-by-Reference Mechanism" [RFC5808].
"Trustworthy Location" is defined as location information that can be "Trustworthy Location" is defined as location information that can be
attributed to a trusted source, has been protected against attributed to a trusted source, has been protected against
modification in transmit, and has been assessed as trustworthy. modification in transmit, and has been assessed as trustworthy.
"Location Trust Assessment" refers to the process by which the "Location Trust Assessment" refers to the process by which the
reliability of location information can be assessed. This topic is reliability of location information can be assessed. This topic is
discussed in Section 4. discussed in Section 4.
[I.D.thomson-geopriv-location-dependability] Section 2 defines The following additional terms apply to location spoofing:
terminology relating to location fabrication:
Place Shifting: In place shifting, an attacker selects any location
(presumably somewhere other than where they are currently located)
and constructs a PIDF-LO based on that information.
Time Shifting: In a time shifting, or replay, attack the attacker "Place Shifting" is where the attacker constructs a PIDF-LO for a
uses location information that was valid in the past, but is no location other than where they are currently located. In some cases,
longer valid because the attacker has moved since the location was place shifting can be limited in range (e.g., within the coverage
generated. area of a particular cell tower).
Location Theft: An attacker that is able to observe the Target's "Time Shifting" is where the attacker uses or re-uses location
location information can replay this information and thereby information that was valid in the past, but is no longer valid
appear to be at the same location. because the attacker has moved.
Location Swapping: Two colluding attackers can conspire to fake "Location Theft" is where the attacker captures a Target's location
location by exchanging location information. One attacker can information and presents it as their own. Location theft can occur
pretend to be at the other's location. on a one-off basis, or may be continuous (e.g., where the attacker
has gained control over the victim's device). Location theft may
also be combined with time shifting to present someone else's
location information after the original Target has moved. Where the
Target and attacker collude, the term "location swapping" is used.
2. Threats 2. Threats
While previous IETF documents have analyzed aspects of the security While previous IETF documents have analyzed aspects of the security
of emergency services or threats to geographic location privacy, of emergency services or threats to geographic location privacy,
those documents do not cover the threats arising from unreliable those documents do not cover the threats arising from unreliable
location information. location information.
A threat analysis of the emergency services system is provided in A threat analysis of the emergency services system is provided in
"Security Threats and Requirements for Emergency Call Marking and "Security Threats and Requirements for Emergency Call Marking and
skipping to change at page 6, line 51 skipping to change at page 6, line 50
several avenues are available to provide false location information: several avenues are available to provide false location information:
1. The end host could fabricate a PIDF-LO and convey it within an 1. The end host could fabricate a PIDF-LO and convey it within an
emergency call; emergency call;
2. The VSP (and indirectly a LIS) could be fooled into using the 2. The VSP (and indirectly a LIS) could be fooled into using the
wrong identity (such as an IP address) for location lookup, wrong identity (such as an IP address) for location lookup,
thereby providing the end host with misleading location thereby providing the end host with misleading location
information; information;
3. Inaccurate or out-of-date information (such spoofed GPS 3. Inaccurate or out-of-date information (such as spoofed GPS
signals, a stale wiremap or an inaccurate access point location signals, a stale wiremap or an inaccurate access point location
database) could be utilized by the LIS or the end host in its database) could be utilized by the LIS or the end host in its
location determination, thereby leading to an inaccurate location determination, thereby leading to an inaccurate
determination of location. determination of location.
The following represent examples of location forging threats: The following represent examples of location spoofing:
Place shifting: Trudy, the adversary, pretends to be at an arbitrary Place shifting: Trudy, the adversary, pretends to be at an
location. In some cases, place shifting can be limited in range, arbitrary location.
e.g., to the coverage area of a particular cell tower.
Time shifting: Trudy pretends to be at a location she was a while Time shifting: Trudy pretends to be at a location she was a
ago. while ago.
Location theft: Trudy observes Alice's location and replays it as Location theft: Trudy observes Alice's location and replays
her own. it as her own.
Location swapping: Trudy and Malory, located in different locations, Location swapping: Trudy and Malory collude and swap location
can collude and swap location information and pretend to be in information, pretending to be in each other's location.
each other's location.
2.2. Identity Spoofing 2.2. Identity Spoofing
With calls originating on an IP network, at least two forms of With calls originating on an IP network, at least two forms of
identity are relevant, with the distinction created by the split identity are relevant, with the distinction created by the split
between the AIP and the VSP: between the AIP and the VSP:
(a) network access identity such as might be determined via (a) network access identity such as might be determined via
authentication (e.g., using the Extensible Authentication Protocol authentication (e.g., using the Extensible Authentication Protocol
(EAP) [RFC3748]); (EAP) [RFC3748]);
 End of changes. 14 change blocks. 
32 lines changed or deleted 29 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/