draft-ietf-geopriv-l7-lcp-ps-00.txt   draft-ietf-geopriv-l7-lcp-ps-01.txt 
Network Working Group H. Tschofenig Network Working Group H. Tschofenig
Internet-Draft Siemens Networks GmbH & Co KG Internet-Draft Nokia Siemens Networks
Intended status: Informational H. Schulzrinne Intended status: Informational H. Schulzrinne
Expires: July 9, 2007 Columbia U. Expires: October 8, 2007 Columbia U.
January 5, 2007 April 6, 2007
GEOPRIV Layer 7 Location Configuration Protocol; Problem Statement and GEOPRIV Layer 7 Location Configuration Protocol; Problem Statement and
Requirements Requirements
draft-ietf-geopriv-l7-lcp-ps-00.txt draft-ietf-geopriv-l7-lcp-ps-01.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 36 skipping to change at page 1, line 36
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on July 9, 2007. This Internet-Draft will expire on October 8, 2007.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2007). Copyright (C) The IETF Trust (2007).
Abstract Abstract
This document provides a problem statement, lists requirements and This document provides a problem statement, lists requirements and
captures discussions for a GEOPRIV Layer 7 Location Configuration captures discussions for a GEOPRIV Layer 7 Location Configuration
Protocol (LCP). This protocol aims to allow an end host to obtain Protocol (LCP). This protocol aims to allow an end host to obtain
location information, by value or by reference, from a Location location information, by value or by reference, from a Location
Information Server (LIS) that is located in the access network. The Server (LS) that is located in the access network. The obtained
obtained location information can then be used for a variety of location information can then be used for a variety of different
different protocols and purposes. For example, it can be used as protocols and purposes. For example, it can be used as input to the
input to the Location-to-Service Translation Protocol (LoST) or to Location-to-Service Translation Protocol (LoST) or to convey location
convey location within SIP to other entities. within SIP to other entities.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.1. Fixed Wired Environment . . . . . . . . . . . . . . . . . 5 3.1. Fixed Wired Environment . . . . . . . . . . . . . . . . . 5
3.2. Moving Network . . . . . . . . . . . . . . . . . . . . . . 7 3.2. Moving Network . . . . . . . . . . . . . . . . . . . . . . 7
3.3. Wireless Access . . . . . . . . . . . . . . . . . . . . . 9 3.3. Wireless Access . . . . . . . . . . . . . . . . . . . . . 9
4. Discovery of the Location Information Server . . . . . . . . . 11 4. Discovery of the Location Information Server . . . . . . . . . 11
5. Identifier for Location Determination . . . . . . . . . . . . 13 5. Identifier for Location Determination . . . . . . . . . . . . 13
6. Virtual Private Network (VPN) Considerations . . . . . . . . . 17 6. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 17
6.1. VPN Tunneled Internet Traffic . . . . . . . . . . . . . . 17 7. Security Considerations . . . . . . . . . . . . . . . . . . . 19
6.2. VPN Client and End Point Physically Co-Located . . . . . . 17 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20
6.3. VPN Client and End Point Physically Separated . . . . . . 18 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 21
7. Location-by-Reference and Location Subscriptions . . . . . . . 20 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 22
8. Preventing Faked Location based DoS Attacks . . . . . . . . . 22 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23
8.1. Security Threat . . . . . . . . . . . . . . . . . . . . . 22 11.1. Normative References . . . . . . . . . . . . . . . . . . . 23
8.2. Discussion about Countermeasures . . . . . . . . . . . . . 22 11.2. Informative References . . . . . . . . . . . . . . . . . . 23
9. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 28 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 25
10. Security Considerations . . . . . . . . . . . . . . . . . . . 30 Intellectual Property and Copyright Statements . . . . . . . . . . 26
10.1. Capabilities of the Adversary . . . . . . . . . . . . . . 30
10.2. Threats . . . . . . . . . . . . . . . . . . . . . . . . . 30
10.3. Requirements . . . . . . . . . . . . . . . . . . . . . . . 32
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 33
12. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 34
13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 35
14. References . . . . . . . . . . . . . . . . . . . . . . . . . . 36
14.1. Normative References . . . . . . . . . . . . . . . . . . . 36
14.2. Informative References . . . . . . . . . . . . . . . . . . 36
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 38
Intellectual Property and Copyright Statements . . . . . . . . . . 39
1. Introduction 1. Introduction
This document provides a problem statement, lists requirements and This document provides a problem statement, lists requirements and
captures discussions for a GEOPRIV Layer 7 Location Configuration captures discussions for a GEOPRIV Layer 7 Location Configuration
Protocol (LCP). The protocol has two purposes: Protocol (LCP). The protocol has two purposes:
o It is used to obtain location information from a special node, o It is used to obtain location information from a special node,
called the Location Information Server (LIS). called the Location Server (LS).
o It enables the end host to obtain a reference to location o It enables the end host to obtain a reference to location
information. This reference can take the form of a subscription information. This reference can take the form of a subscription
URI, such as a SIP presence URI, an HTTP/HTTPS URI, or any others. URI, such as a SIP presence URI, an HTTP/HTTPS URI, or any others.
The requirements related to the task of obtaining such a reference
are described in a separate document, see [4].
The need for these two functions can be derived from the scenarios The need for these two functions can be derived from the scenarios
presented in Section 3. presented in Section 3.
For this document we assume that the GEOPRIV Layer 7 LCP runs between
the end host (i.e., the Target in [1] terminology) acting as the LCP
client and the Location Server acting as an LCP server.
This document splits the problem space into separate parts and This document splits the problem space into separate parts and
discusses them in separate subsections. Section 4 discusses the discusses them in separate subsections. Section 4 discusses the
challenge of discovering the Location Information Server in the challenge of discovering the Location Information Server in the
access network. Section 5 compares different types of identifiers access network. Section 5 compares different types of identifiers
that can be used to retrieve location information. The concept of that can be used to retrieve location information. A list of
subscription URIs is described in Section 7. Digitally signing requirements for the GEOPRIV Layer 7 Location Configuration Protocol
location information and the perceived benefits are covered in can be found in Section 6.
Section 8. A list of requirements for the GEOPRIV Layer 7 Location
Configuration Protocol can be found in Section 9. This work is
heavily influenced by security considerations. Hence, almost all
sections address security concerns. A list of desired security
properties can be found in Section 10 together with a discussion
about possible threat models.
This document does not describe how the access network provider This document does not describe how the access network provider
determines the location of the end host. determines the location of the end host since this is largely a
matter of the capabilities of specific link layer technologies.
2. Terminology 2. Terminology
In this document, the key words "MUST", "MUST NOT", "REQUIRED", In this document, the key words "MUST", "MUST NOT", "REQUIRED",
"SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
and "OPTIONAL" are to be interpreted as described in RFC 2119 [1], and "OPTIONAL" are to be interpreted as described in RFC 2119 [2],
with the qualification that unless otherwise stated these words apply with the qualification that unless otherwise stated these words apply
to the design of the GEOPRIV Layer 7 Location Configuration Protocol. to the design of the GEOPRIV Layer 7 Location Configuration Protocol.
We also use terminology from [2] and [3]. We also use terminology from [1] and [3].
3. Scenarios 3. Scenarios
The following network types are within scope: This section describes a few network scenarios where the GEOPRIV
Layer 7 Location Configuration Protocol may be used. Note that this
section does not aim to list all possible deployment environments
exhaustively. We focus on the description of the following
environments:
o DSL/Cable networks, WiMax-like fixed access o DSL/Cable networks, WiMax-like fixed access
o Airport, City, Campus Wireless Networks, such as 802.11a/b/g, o Airport, City, Campus Wireless Networks, such as 802.11a/b/g,
802.16e/Wimax 802.16e/Wimax
o 3G networks o 3G networks
o Enterprise networks o Enterprise networks
We illustrate a few examples below. We illustrate a few examples below.
3.1. Fixed Wired Environment 3.1. Fixed Wired Environment
The following figure shows a DSL network scenario with the Access The following figure shows a DSL network scenario with the Access
Network Provider and the customer premises. The Access Network Network Provider and the customer premises. The Access Network
Provider operates link and network layer devices (represented as Provider operates link and network layer devices (represented as
Node) and the Location Information Server (LIS). Node) and the Location Server (LS).
+---------------------------+ +---------------------------+
| | | |
| Access Network Provider | | Access Network Provider |
| | | |
| +--------+ | | +--------+ |
| | Node | | | | Node | |
| +--------+ +----------+ | | +--------+ +----------+ |
| | | | LIS | | | | | | LS | |
| | +---| | | | | +---| | |
| | +----------+ | | | +----------+ |
| | | | | |
+-------+-------------------+ +-------+-------------------+
| Wired Network | Wired Network
<----------------> Access Network Provider demarc <----------------> Access Network Provider demarc
| |
+-------+-------------------+ +-------+-------------------+
| | | | | |
| +-------------+ | | +-------------+ |
skipping to change at page 9, line 10 skipping to change at page 9, line 10
Further examples of moving networks can be found in busses, trains, Further examples of moving networks can be found in busses, trains,
airplanes. airplanes.
Figure 2 shows an example topology for a moving network. Figure 2 shows an example topology for a moving network.
+--------------------------+ +--------------------------+
| Wireless | | Wireless |
| Access Network Provider | | Access Network Provider |
| | | |
| +----------+| | +----------+|
| +-------+ LIS || | +-------+ LS ||
| | | || | | | ||
| +---+----+ +----------+| | +---+----+ +----------+|
| | Node | | | | Node | |
| | | | | | | |
| +---+----+ | | +---+----+ |
| | | | | |
+------+-------------------+ +------+-------------------+
| Wireless Interface | Wireless Interface
| |
+------+-------------------+ +------+-------------------+
skipping to change at page 9, line 40 skipping to change at page 9, line 40
|| A | \+ B | | || A | \+ B | |
|+--------+ +--------+ | |+--------+ +--------+ |
+--------------------------+ +--------------------------+
Figure 2: Moving Network Figure 2: Moving Network
3.3. Wireless Access 3.3. Wireless Access
Figure 3 shows a wireless access network where a moving end host Figure 3 shows a wireless access network where a moving end host
obtains location information or references to location information obtains location information or references to location information
from the LIS. The access equipment us, in many cases, link layer from the LS. The access equipment uses, in many cases, link layer
devices. This figure represents a hotspot network found in hotels, devices. This figure represents a hotspot network found in hotels,
airports, coffee shops. airports, coffee shops. For editorial reasons we only describe a
single access point and do not depict how the LS obtains location
information since this is very deployment specific.
+--------------------------+ +--------------------------+
| Access Network Provider | | Access Network Provider |
| | | |
| +----------+| | +----------+|
| +-------| LIS || | +-------| LS ||
| | | || | | | ||
| +--------+ +----------+| | +--------+ +----------+|
| | Access | | | | Access | |
| | Point | | | | Point | |
| +--------+ | | +--------+ |
| | | | | |
+------+-------------------+ +------+-------------------+
| |
+------+ +------+
| End | | End |
| Host | | Host |
+------+ +------+
Figure 3: Wireless Access Scenario Figure 3: Wireless Access Scenario
4. Discovery of the Location Information Server 4. Discovery of the Location Information Server
When an end host wants to retrieve location information from the LIS When an end host wants to retrieve location information from the LS
it first needs to discover it. Based on the problem statement of it first needs to discover it. Based on the problem statement of
determining the location of the end host, which is known best by determining the location of the end host, which is known best by
entities close to the end host itself, we assume that the LIS is entities close to the end host itself, we assume that the LS is
located in the access network. Several procedures have been located in the access network. Several procedures have been
investigated that aim to discovery the LIS in such an access network. investigated that aim to discovery the LS in such an access network.
DHCP-based Discovery: DHCP-based Discovery:
In some environments the Dynamic Host Configuration Protocol might In some environments the Dynamic Host Configuration Protocol might
be a good choice for discovering the FQDN or the IP address of the be a good choice for discovering the FQDN or the IP address of the
LIS. In environments where DHCP can be used it is also possible LS. In environments where DHCP can be used it is also possible to
to use the already defined location extensions. In environments use the already defined location extensions. In environments with
with legacy devices, such as the one shown in Section 3.1, a DHCP legacy devices, such as the one shown in Section 3.1, a DHCP based
based discovery solution is not possible. discovery solution is not possible.
DNS-based Discovery: DNS-based Discovery:
With this idea the end host obtains its public IP address (e.g., With this idea the end host obtains its public IP address (e.g.,
via STUN [4]) in order to obtain its domain name (via the usual via STUN [5]) in order to obtain its domain name (via the usual
reverse DNS lookup). Then, the SRV or NAPTR record for that reverse DNS lookup). Then, the SRV or NAPTR record for that
domain is retrieved. This relies on the user's public IP address domain is retrieved. This relies on the user's public IP address
having a DNS entry. having a DNS entry.
Redirect Rule: Redirect Rule:
A redirect rule at a device in the access network, for example at A redirect rule at a device in the access network, for example at
the AAA client, will be used to redirect the Geopriv-L7 signalling the AAA client, will be used to redirect the Geopriv-L7 signalling
messages (destined to a specific port) to the LIS. The end host messages (destined to a specific port) to the LS. The end host
could then discover the LIS by sending a packet to almost any could then discover the LS by sending a packet to almost any
address (as long it is not in the local network). The packet address (as long it is not in the local network). The packet
would be redirected to the respective LIS being configured. The would be redirected to the respective LS being configured. The
same procedure is used by captive portals whereby any HTTP traffic same procedure is used by captive portals whereby any HTTP traffic
is intercepted and redirected. is intercepted and redirected.
Multicast Query: Multicast Query:
An end node could also discover a LIS by sending a multicast An end node could also discover a LS by sending a multicast
request to a well-known address. An example of such a mechanism request to a well-known address. An example of such a mechanism
is multicast DNS (see [5] and [6]). is multicast DNS (see [6] and [7]).
The LIS discovery procedure raises deployment and security issues. The LS discovery procedure raises deployment and security issues.
When an end host discovers a LIS, When an end host discovers a LS,
1. it does not talk to a man-in-the-middle adversary, and 1. it does not talk to a man-in-the-middle adversary, and
2. it needs to ensure that the discovered entity is indeed an 2. it needs to ensure that the discovered entity is indeed an
authorized LIS. authorized LS.
5. Identifier for Location Determination 5. Identifier for Location Determination
The LIS returns location information to the end host when it receives The LS returns location information to the end host when it receives
a request. Some form of identifier is therefore needed to allow the a request. Some form of identifier is therefore needed to allow the
LIS to determine the current location of the target or a good LS to determine the current location of the target or a good
approximation of it. approximation of it.
The chosen identifier needs to have the following properties: The chosen identifier needs to have the following properties:
Ability for end host to learn or know the identifier: Ability for end host to learn or know the identifier:
The end host MUST know or MUST be able to learn the identifier The end host MUST know or MUST be able to learn the identifier
(explicitly or implicitly) in order to send it to the LIS. (explicitly or implicitly) in order to send it to the LS.
Implicitly refers to the situation where a device along the path Implicitly refers to the situation where a device along the path
between the end host and the LIS modifies the identifier, as it is between the end host and the LS modifies the identifier, as it is
done by a NAT when an IP address based identifier is used. done by a NAT when an IP address based identifier is used.
Ability to use the identifier for location determination: Ability to use the identifier for location determination:
The LIS MUST be able to use the identifier (directly or The LS MUST be able to use the identifier (directly or indirectly)
indirectly) for location determination. Indirectly refers to the for location determination. Indirectly refers to the case where
case where the LIS uses other identifiers locally within the the LS uses other identifiers locally within the access network,
access network, in addition to the one provided by the end host, in addition to the one provided by the end host, for location
for location determination. determination.
Security properties of the identifier: Security properties of the identifier:
Misuse needs to be minimized whereby off-path adversary MUST NOT Misuse needs to be minimized whereby off-path adversary MUST NOT
be able to obtain location information of other hosts. A on-path be able to obtain location information of other hosts. A on-path
adversary in the same subnet SHOULD NOT be able to spoof the adversary in the same subnet SHOULD NOT be able to spoof the
identifier of another host in the same subnet. identifier of another host in the same subnet.
The problem is further complicated by the requirement that the end The problem is further complicated by the requirement that the end
host should not be aware of the network topology and the LIS must be host should not be aware of the network topology and the LS must be
placed in such a way that it can determine location information with placed in such a way that it can determine location information with
the available information. As shown in Figure 1 the host behind the the available information. As shown in Figure 1 the host behind the
NTE/NAPT-DHCP device is not visible to the access network and the LIS NTE/NAPT-DHCP device is not visible to the access network and the LS
itself. In the DSL network environment some identifier used at the itself. In the DSL network environment some identifier used at the
NTE is observable for by the LIS/access network. NTE is observable for by the LS/access network.
The following list discusses frequently mentioned identifiers and The following list discusses frequently mentioned identifiers and
their properties: their properties:
Host MAC address: Host MAC address:
The host MAC address is known to the end system, but not carried The host MAC address is known to the end system, but not carried
over an IP hop. over an IP hop.
ATM VCI/VPI: ATM VCI/VPI:
skipping to change at page 14, line 44 skipping to change at page 14, line 44
known by the router and not to the end host. To the network, the known by the router and not to the end host. To the network, the
authenticated user identity is only available if a network access authenticated user identity is only available if a network access
authentication procedure is executed. In case of roaming it still authentication procedure is executed. In case of roaming it still
might not be available to the access network since security might not be available to the access network since security
protocols might provide user identity confidentiality and thereby protocols might provide user identity confidentiality and thereby
hide the real identity of the user allowing the access network to hide the real identity of the user allowing the access network to
only see a pseudonym or a randomized string. only see a pseudonym or a randomized string.
Host Identifier: Host Identifier:
The Host Identifier introduced by the Host Identity Protocol [7] The Host Identifier introduced by the Host Identity Protocol [8]
allows identification of a particular host. Unfortunately, the allows identification of a particular host. Unfortunately, the
network can only use this identifier for location determination if network can only use this identifier for location determination if
the operator already stores an mapping of host identities to the operator already stores an mapping of host identities to
location information. Furthermore, there is a deployment problem location information. Furthermore, there is a deployment problem
since the host identities are not used in todays networks. since the host identities are not used in todays networks.
Cryptographically Generated Address (CGA): Cryptographically Generated Address (CGA):
The concept of a Cryptographically Generated Address (CGA) was The concept of a Cryptographically Generated Address (CGA) was
introduced by [8]. The basic idea is to put the truncated hash of introduced by [9]. The basic idea is to put the truncated hash of
a public key into the interface identifier part of an IPv6 a public key into the interface identifier part of an IPv6
address. In addition to the properties of an IP address it allows address. In addition to the properties of an IP address it allows
a proof of ownership. Hence, a return routability check can be a proof of ownership. Hence, a return routability check can be
omitted. omitted.
Network Access Identifiers: Network Access Identifiers:
A Network Access Identifier [9] is only used during the network A Network Access Identifier [10] is only used during the network
access authentication procedure in RADIUS [10] or Diameter [11]. access authentication procedure in RADIUS [11] or Diameter [12].
Furthermore, in a roaming scenario it does not help the access Furthermore, in a roaming scenario it does not help the access
network to make meaningful decisions since the username part might network to make meaningful decisions since the username part might
be a pseudonym and there is no relationship to the end host's be a pseudonym and there is no relationship to the end host's
location. location.
Unique Client Identifier Unique Client Identifier
The DSL Forum has defined that all devices that expect to be The DSL Forum has defined that all devices that expect to be
managed by the TR-069 interface be able to generate an identifier managed by the TR-069 interface be able to generate an identifier
as described in DSL Forum TR-069v2 Section 3.4.4. It also has a as described in DSL Forum TR-069v2 Section 3.4.4. It also has a
requirement that routers that use DHCP to the WAN use RFC 4361 requirement that routers that use DHCP to the WAN use RFC 4361
[12] to provide the DHCP server with a unique client identifier. [13] to provide the DHCP server with a unique client identifier.
This identifier is, however, not visible to the end host with the This identifier is, however, not visible to the end host with the
assumption of a legacy device like the NTE. If we assume that the assumption of a legacy device like the NTE. If we assume that the
LTE can be modified then a number of solutions come to mind LTE can be modified then a number of solutions come to mind
including DHCP based location delivery. including DHCP based location delivery.
IP Address: IP Address:
The end host's IP address may be used for location determination. The end host's IP address may be used for location determination.
This IP address is not visible to the LIS if the end host is This IP address is not visible to the LS if the end host is behind
behind one or multipel NATs. This is, however, not a problem one or multipel NATs. This is, however, not a problem since the
since the location of a host that is located behind a NAT cannot location of a host that is located behind a NAT cannot be
be determined by the access network. The LIS would in this case determined by the access network. The LS would in this case only
only see the public IP address of the NAT binding allocated by the see the public IP address of the NAT binding allocated by the NAT,
NAT, which is the correct behavior. The property of the IP which is the correct behavior. The property of the IP address for
address for a return routability check is attractive as well to a return routability check is attractive as well to return
return location information only to a device that transmitted the location information only to a device that transmitted the
request. The LIS receives the request and provides location request. The LS receives the request and provides location
information back to the same IP address. If an adversary wants to information back to the same IP address. If an adversary wants to
learn location information from an IP address other than its own learn location information from an IP address other than its own
IP address then it would not see the response message (unless he IP address then it would not see the response message (unless he
is on the subnetwork or at a router along the path towards the is on the subnetwork or at a router along the path towards the LS)
LIS) since the LIS would return the message to the address where since the LS would return the message to the address where it came
it came from. from.
On a shared medium an adversary could ask for location information On a shared medium an adversary could ask for location information
of another host using its IP address. The adversary would be able of another host using its IP address. The adversary would be able
to see the response message since he is sniffing on the shared to see the response message since he is sniffing on the shared
medium unless security mechanisms (such as link layer encryption) medium unless security mechanisms (such as link layer encryption)
is in place. With a network deployment as shown in Section 3.1 is in place. With a network deployment as shown in Section 3.1
with multiple hosts in the Customer Premise being behind a NAT the with multiple hosts in the Customer Premise being behind a NAT the
LIS is unable to differentiate the individual end points. For LS is unable to differentiate the individual end points. For WLAN
WLAN deployments as found in hotels, as shown in as shown in deployments as found in hotels, as shown in as shown in
Section 3.3, it is possible for an adversary to eavesdrop data Section 3.3, it is possible for an adversary to eavesdrop data
traffic and subsequently to spoof the IP address in a query to the traffic and subsequently to spoof the IP address in a query to the
LIS to learn more detailed location information (e.g., specific LS to learn more detailed location information (e.g., specific
room numbers). Such an attack might, for example, compromise the room numbers). Such an attack might, for example, compromise the
privacy of hotel guests. Note that DHCP would suffer from the privacy of hotel guests. Note that DHCP would suffer from the
same problem here unless each node uses link layer security same problem here unless each node uses link layer security
mechanism. mechanism.
Return routability checks are useful only if the adversary does Return routability checks are useful only if the adversary does
not see the response message and if the goal is to delay state not see the response message and if the goal is to delay state
establishment. If the adversary is in a broadcast network then a establishment. If the adversary is in a broadcast network then a
return routability check alone is not sufficient to prevent the return routability check alone is not sufficient to prevent the
above attack since the adversary will observe the response. above attack since the adversary will observe the response.
6. Virtual Private Network (VPN) Considerations 6. Requirements
To establish a VPN, a VPN client uses a particular VPN protocol to
create a tunnel to a VPN server. VPNs can be established using a
variety of protocols (e.g., IPsec, L2TP). The protocol used to
establish the VPN does not impact LIS discovery or location
acquisition.
VPN characteristics that can impact LIS discovery or acquiring a
location from a LIS include the relationship of the VPN client to the
communications application (e.g., VoIP phone), and whether the VPN
server requires the device with the VPN client to send all outbound
IP traffic across the VPN.
6.1. VPN Tunneled Internet Traffic
Any form of LIS discovery that would work without the VPN being
established, will also be able to work after the VPN has been
established. The DNS method of LIS discovery requires a device to
discover the proper IP address for discovering and querying the LIS.
Some devices may be expected to operate in a number of different
networks, including corporate networks, hotspots, home networks, and
protected networks by way of a VPN. The appropriate IP address to
use for LIS discovery may vary depending on the network.
It may be useful for such devices to do a reverse DNS lookup, LIS
discovery request, and LIS query for all IP addresses they can
determine for themselves. When all LISs involved in these queries
are properly configured, only one of these queries should be expected
to succeed. LISs should not be configured to provide a location for
an IP address that may be used by many geographically dispersed
users, or when the LIS has no way to determine the geographic
location of the device using the IP address.
This form of VPN will not interfere with queries to the LIS, once the
LIS has been discovered. It will also not interfere with location
dereferencing.
6.2. VPN Client and End Point Physically Co-Located
If LIS discovery and queries are done prior to establishing the VPN,
then the VPN will not interfere. For this reason, it is highly
desirable for devices that may support communications applications to
do location acquisition shortly after initial bootstrap, and prior to
establishing any VPN. As the communication application may not be
running prior to establishing the VPN, it is best if the
communication application is not responsible for location
acquisition.
Once a VPN has been established, the device should not permit
location acquisition to be attempted. Location acquisition done
after a VPN is established will either fail, or provide the wrong
location.
If the device does allow attempts at location acquisition after
establishing the VPN, these attempts should fail. LIS discovery
through DHCP, Redirect, and Multicast methods would fail due to lack
of support by the VPN server (it is undesirable for a VPN server to
support LIS discovery). For DNS discovery, the device might know a
variety of IP addresses, such as the IP address obtained at bootstrap
(which may be public or private, depending on whether the device is
behind a NAT), the VPN IP address, and an IP address the VPN provider
uses for Internet traffic through its firewall. RDNS of private LAN
addresses will fail. Success for RDNS of the VPN address would
depend on whether there are entries in the VPN provider's DNS server.
If RDNS of the VPN IP address succeeds, and the VPN provider has a
LIS in their network, LIS discovery of the VPN network's LIS should
succeed. It is desirable for a LIS that may get queries from devices
entering the network through a VPN, to provide an error response to
location queries that use such IP addresses. The LIS should not be
configured to return a location for these IP addresses.
RDNS of public IP addresses should generally succeed (assuming the
VPN provider's DNS allows for these queries to succeed). For IP
addresses used to connect the VPN network to the Internet, the
returned domain of RDNS would be the owner of that IP address, which
is either the VPN provider or its ISP. If the domain is that of the
VPN provider, the VPN provider may or may not have a DNS LIS entry
associated with that domain. If there is a LIS, that LIS should not
be configured to return a location for its public IP addresses. If
an ISP owns the domain of the VPN's public IP address, the device
will discover the ISP's LIS, and that LIS will return the location
where traffic from that IP address enters the access network. If the
device knows its public IP address, and RDNS and LIS discovery
succeeded, the LIS would not provide location information (assuming
the LIS would not be able to authenticate the device through means
other than return routability). The message that reached the LIS
would not be using (in the IP Header) an IP address from its domain.
If the private network allows traffic to go to the Internet,
dereferencing of a location reference will work.
6.3. VPN Client and End Point Physically Separated
In this case, it is possible for the device with the VPN client to
participate in the location acquisition process, and to provide
location to end devices. If the VPN client device does participate,
then it must acquire location information before setting up its VPN.
If the VPN client device that participates in location acquisition is
also the DHCP server for the LAN, then it would be able to either
provide its location by DHCP, or provide itself as the LIS by DHCP.
If this device names itself as the DNS server for devices in the LAN,
then it could support RDNS for LAN addresses and provide itself as
the LIS. If it says it is the LIS, then it must be able to respond
to LIS queries for location acquisition. This device would also be
able to support Redirect or Multicast methods of LIS determination.
If the VPN client device does not participate in location
acquisition, then location acquisition will either fail or provide
the wrong location, with the same results as described in section X.2
for a device that attempts location acquisition after establishing a
VPN.
If the private network allows traffic to go to the Internet,
dereferencing of a location reference will work.
7. Location-by-Reference and Location Subscriptions
In mobile wireless networks it is not efficient for the end host to
periodically query the LIS for up-to-date location information.
Furthermore, the end host might want to delegate the task of
retrieving and publishing location information to a third party, such
as a presence server. Finally, in some deployments the network
operator might not want to make location information available to the
end hosts.
These usage scenarios motivated the introduction of the location-by-
reference concept. Depending on the type of reference, such as HTTP/
HTTPS or SIP presence URI, different operations can be performed.
While an HTTP/HTTPS URI can be resolved to location information, a
SIP presence URI provides further benefits from the SUBSCRIBE/NOTIFY
concept that can additionally be combined with location filters [13].
Figure 4 shows the assumed communication model:
+--------+ Dereferencing +-----------+
| | Protocol (3) | |
| LIS +---------------+ Location |
| | | Recipient |
+---+----+ | |
| +----+------+
| --
| Geopriv-L7 --
| Protocol --
| (1) ---
| -- Geopriv
| --- Using (e.g.,SIP)
| -- Protocol
+----+-----+ -- (2)
| Target / +--
| End Host |
+----------+
Figure 4: Communication Model
Note that there is no requirement for using the same protocol in (1)
and (3).
The following list describes the location subscription idea:
1. The end host discovers the LIS.
2. The end host sends a request to the LIS asking for a location-by-
reference, as shown in (1) of Figure 4.
3. The LIS responds to the request and includes a location object
together with a subscription URI.
4. The Target puts the subscription URI into a SIP message as
described in [14] forwards it to a Location Recipient, as shown
in (2) of Figure 4. The Location Recipient subscribes to the
obtained subscription URI (see (3) of Figure 4) and potentially
uses a location filter (see [13]) to limit the notification rate.
5. If the Target moves outside a certain area, indicated by the
location filter, then the Location Recipient will receive a
notification.
Note that the Target may also act in the role of the Location
Recipient whereby it would subscribe to its own location information.
For example, the Target obtains a subscription URI from the
Geopriv-L7 protocol. It subscribes to the URI in order to obtain its
currently location information, which then serves as input to a LoST
query (see [15]) in order to acquire the service boundary (e.g., PSAP
boundary). The service boundary indicates the region where the
device can move without the need to re-query since the returned
answer remains unchanged. The Target uses this service boundary to
location filters an updates the subscription. If the Target moves
outside a certain area, indicated by the location filter, it will
receive a notification and knows that re-querying LoST to obtain a
new service boundary is necessary.
For location-by-reference, the LIS needs to maintain a list of
randomized URIs for each host, timing out these URIs after the
reference expires. References need to expire to prevent the
recipient of such a URL from being able to (in some cases)
permanently track a host. Furthermore, this mechanism also offers
garbage collection capability for the LIS.
Location references must prevent adversaries from obtaining the
Target's location. There are at least two approaches: The location
reference contains a random component and allows any holder of the
reference to obtain location information. Alternatively, the
reference can be public and the LIS performs access control via a
separate authentication mechanism, such as HTTP digest or TLS client
side authentication, when resolving the reference to a location
object.
8. Preventing Faked Location based DoS Attacks
This section describes a possible security threat in emergency
related location conveyance and subsequently discusses
countermeasures to overcome the threat.
8.1. Security Threat
Consider an end host that wants to act maliciously and creates its
own location object with faked location information and uses this
information in a subsequent SIP communication. In case of an
emergency call the other communication partner, the Public Safety
Answering Point (PSAP) operator, would use the information
potentially without having a further possibility to verify the
received location information. Emergency personnel would be sent to
the indicated location noticing that there is no incident.
Hence, the PSAP operator, and the Location Recipient in general,
would like to ensure that the provided location information is
genuine, accurate and fresh to avoid taking wrong actions, such as
dispatching emergency personnel to a wrong location.
There seems to be a need for preventing location forgery, replay and
substitution attacks, which are all forms of sending a location which
is deliberately not that of the end host. As shown below, various
forms of countermeasures are possible to mitigate these attacks.
Although some aspects are within the scope of the Geopriv-L7 Location
Configuration Protocol (LCP), which is between a LIS and an Target,
some aspects refer to other protocols, as shown in Figure 4. For
example, in an emergency call, the PSAP (as a Location Recipient)
wishes to verify that the location is indeed that of the calling
party. Further, the Geopriv-L7 LCP is not the only protocol that
could be used by an end host to acquire its location. Therefore, the
topic of signatures on the location information was deemed out of
scope. The subsequent discussion about countermeaures aims to
capture the state of the discussions and illustrates the complexity
in the overall design.
8.2. Discussion about Countermeasures
The goal of the above-described mechanism is to prevent prank calls
and, in case of emergency services, unnecessary first-responder
dispatch. As such, it is a mechanism to reduce the vulnerability of
denial of service attacks. The benefit of a digital signature
created by the LIS and covering the location information (plus some
other fields) is to treat a missing or invalid signature as suspect
during the call. The call would be treated differently in the sense
that more questions might be asked (if an interaction with a human
person is possible). In case of emergency services, the call might
get ranked differently if certain criteria are not fulfilled and if
the PSAP operator is confronted with a massive amount of calls
without the possiblity to respond to all of them.
8.2.1. Signed Location Information
One of the proposed countermeasures is to sign location information
by the LIS before it is sent to the end host whereby the signed
location information is verified by the final Location Recipient
rather than the Target. This prevents the Target from tampering with
the received location information since the digital signature would
become invalid. The Location Recipient would be able to verify the
source of the location information. Since the number of nodes that
may play the role of a Location Recipient is large it is difficult to
utilize a pre-shared secret key based infrastructure. Hence, a
public key based infrastructure is required but authorization still
remains challenging.
This solution approach is challenging when a PIDF-LO [16] has to be
signed (instead of location information only) since the PIDF-LO
contains more than just location information, such as "entity"
attribute of the 'presence' element, and usage-rules (e.g.,
'retransmission-allowed', 'retention-expires', 'ruleset-reference',
'note-well').
The value for the "entity" attribute of the 'presence' element is, in
many cases, not known to the L2/L3 provider. If the LIS signs some
layer-2/layer-3 (e.g., PPP/RADIUS/NAI) identity as entity URI, it
will unlikely be the SIP URI.
To prevent adversaries from reusing an eavesdropped signed location
object it is necessary to include additional information when
generating the digital signature. For example, a timestamp and a
validity field are useful to prevent certain replay attacks.
Furthermore, the "entity" attribute may be included in the digital
signature of a PIDF-LO with the following semantic: When using the
signed location object (e.g., in SIP or another higher layer
protocol), the Target needs to authenticate to the Location Recipient
using the same identity carried in the "entity" attribute of the
'presence' element of the signed PIDF-LO. Using SIP, for example, a
SIP proxy server could assert the entity URI corresponding to the
Target using the SIP identity mechanism.
Including the layer 7 identity into the "entity" attribute of the
'presence' element poses a privacy problem since the access network
provider can now see an identity that is in use. Hence, the LIS and
possibly unauthorized listeners (if there's no privacy protection)
find out where the L7 entity is located, rather than just the
location information.
With regard to the ability for an adversary to replay an eavesdropped
a signed location object, the following two approaches need to be
considered:
1. A signed PIDF-LO with the L7 identity included, conveyed without
confidentiality protection from the Target to the Location
Recipient, and
2. A signed PIDF-LO, without the L7 identity, conveyed with
confidentiality protection from the Target to the Location
Recipient.
Note that in both cases confidentiality protection for the
communication between the LIS and the Target is provided. (2) has the
same security properties as (1) in terms of the ability of somebody
else to steal and re-use the PIDF-LO ("location theft") (assuming the
Location Recipient and the Target are honest).
An adversary might, for example, want to perform a replay attack by
eavesdropping the signed location object. If the LIS includes
additional attributes, such as a timestamp and the validity time, the
vulnerability can be reduced although not entirely prevented. The
reason for an adversary to still be able to replay the location
information is that there is no verifiable identifier is associated
with the signed location information. For example, the LIS might
include the IP address of the end host to the signed location object.
Spoofing the IP address is, however, relatively easy. Moreover, the
IP address that is used to associate the location information cannot
be verified by the LR since the IP address can be modified
legitimately (e.g., NAT reasons) or might not be seen due to
tunneling techniques (e.g., VPN, Mobile IP).
Ideally, an "identifier" with the property of being non-spoofable by
an adversary and verifiable by the LR when it receives a signed
location object, which will ensure that the submitted location
information is actually sent by the claimed end host and not
replayed. One such verifiable identifier is a public key, the serial
number of a certificate, a hash of a public key (in the sense of
Purpose-Built-Keys or Cryptographically-Generated-Addresses) or the
value of a hash chain. We call this identifier, key identifier or
keyID for short.
In more details, the end host provides this identifier to the LIS and
it is signed together with location information. The following steps
are executed:
1. The end host interacts with the LIS to obtain its location
information. The communication is secured using Transport Layer
Security. This request carries the keyID. In this example, we
use a keyID that represents the hash of a public key. The LIS
ties the received keyID to the location object and signs it.
2. The LIS returns the signed location object that includes the
keyID to the requesting end host.
3. Whenever the end host wants to distribute its location
information to a LR, it attaches location information to a SIP
message as described in [14]. The end host computes a digital
signature over the SIP header fields and signed location object
(as, for example, envisioned by SIP Identity [17]) with the
private key that corresponds to the hashed public key found in
the signed location object.
4. This message is sent to the LR.
5. The LR receives the message and it performs the following steps:
* It retrieves the public key.
* It computes the hash over the public key and compares it with
the value in the key identifier included in the signed
location object.
* It verifies the digital signature and thereby ensures that the
end host is indeed in possession of the private key
corresponding to the obtained public key.
* It verifies the digital signature protecting the location
information and checks whether it was signed by a trusted
access provider.
Even if an adversary eveasdrops the communication between the end
host and the LR it cannot successfully replay a signed location
object since it does not know the private key corresponding to the
hashed public key found in the signed location information. The
achieved security protection might even be stronger in context of
CGAs.
8.2.2. Authenticated Calls
In many cases, authenticated calls, i.e., verifying the callers
identity, are at least as useful as location signing since it
establishes accountability for later prosecution.
If most of the legitimate calls are authenticated in some way, then
it is possible, under attack conditions only, to give "dubious" calls
lower priority or to have them go through some sort of turing test.
As an example, PSAP operators do not want to reject emergency calls
regardless of how they look like, but if the alternative is wasting
90% of the resources on bogus calls (and thus leaving many legitimate
callers stranded) and not handling the unlucky unauthenticated, the
expected outcome is better if you can separate. This is the standard
"triage" model used in emergency medicine.
If somebody places a signed (known-third-party VSP-authenticated)
call, there is at least the possibility of catching a malicious
caller and the number of such calls is limited. Thus, there are only
legitimate calls left
o that use end system location determination (e.g., GPS, manual
configuration);
o that have no (known) VSP;
o that are not signed in some other way
In general, it is necessary to separate authentication from charging.
There is no reason for tying authentication, authorization and
charging together for this particular context. For example,
certificates can be used, for example, for emergency service without
being subscribed to either a VSP or ISP.
8.2.3. Location-by-Reference
The concept of location-by-reference was described in Section 7. The
properties of location signing are very similar (if not equal) to the
properties of the location-by-reference concept when the Location
Recipient only authenticates the LIS (but not vice-versa). Both
mechanisms allow the Location Recipient to authenticate the LIS (and
potentially the access network provider).
There are also a few drawbacks with the location signing and the
location-by-reference concept:
o Location signing has very limited utility if the number of signing
parties is very large
o Location signing has very limited utility for commercial
transactions. Commercial entities do not care whether a customer
lies about their location, as long as they can make you pay for
the service you asked for.
Authenticated calls also have their disadvantage since they require
end-host or end-user certificates, which creates a deployment burden,
unless mechanisms similar to SIP Identity [18] are used.
Furthermore, authenticated calls do not prevent attacks where the
location information was obtained unsecured from a LIS and an
adversary in the access network was able to tamper with the in-flight
location information.
9. Requirements
The following requirements and assumptions have been identified: The following requirements and assumptions have been identified:
Requirement L7-1: Identifier Choice Requirement L7-1: Identifier Choice
The LIS MUST be presented with a unique identifier of its own The LS MUST be presented with a unique identifier of its own
addressing realm associated in some way with the physical location addressing realm associated directly or indirectly (i.e., linked
of the end host. through other identifiers) with the physical location of the end
host.
An identifier is only appropriate if it is from the same realm as An identifier is only appropriate if it is from the same realm as
the one for which the location information service maintains the one for which the location information service maintains
identifier to location mapping. identifier to location mapping.
Requirement L7-2: Mobility Support Requirement L7-2: Mobility Support
The GEOPRIV Layer 7 Location Configuration Protocol MUST support a The GEOPRIV Layer 7 Location Configuration Protocol MUST support a
broad range of mobility from devices that can only move between broad range of mobility from devices that can only move between
reboots, to devices that can change attachment points with the reboots, to devices that can change attachment points with the
impact that their IP address is changed, to devices that do not impact that their IP address is changed, to devices that do not
change their IP address while roaming, to devices that change their IP address while roaming, to devices that
continuously move by being attached to the same network attachment continuously move by being attached to the same network attachment
point. point.
Requirement L7-3: Layer 7 and Layer 2/3 Provider Relationship Requirement L7-3: Layer 7 and Layer 2/3 Provider Relationship
The design of the GEOPRIV Layer 7 Location Configuration Protocol The design of the GEOPRIV Layer 7 Location Configuration Protocol
MUST NOT assume a business or trust relationship between the MUST NOT assume a business or trust relationship between the
provider of application layer (e.g., SIP, XMPP, H.323) provider provider of application layer (e.g., SIP, XMPP, H.323) provider
and the access network provider operating the LIS. and the access network provider operating the LS.
Requirement L7-4: Layer 2 and Layer 3 Provider Relationship Requirement L7-4: Layer 2 and Layer 3 Provider Relationship
The design of the GEOPRIV Layer 7 Location Configuration Protocol The design of the GEOPRIV Layer 7 Location Configuration Protocol
MUST assume that there is a trust and business relationship MUST assume that there is a trust and business relationship
between the L2 and the L3 provider. The L3 provider operates the between the L2 and the L3 provider. The L3 provider operates the
LIS and needs to obtain location information from the L2 provider LS and needs to obtain location information from the L2 provider
since this one is closest to the end host. If the L2 and L3 since this one is closest to the end host. If the L2 and L3
provider for the same host are different entities, they cooperate provider for the same host are different entities, they cooperate
for the purposes needed to determine end system locations. for the purposes needed to determine end system locations.
Requirement L7-5: Legacy Device Considerations Requirement L7-5: Legacy Device Considerations
The design of the GEOPRIV Layer 7 Location Configuration Protocol The design of the GEOPRIV Layer 7 Location Configuration Protocol
MUST consider legacy residential NAT devices and NTEs in an DSL MUST consider legacy residential NAT devices and NTEs in an DSL
environment that cannot be upgraded to support additional environment that cannot be upgraded to support additional
protocols, for example to pass additional information through protocols, for example to pass additional information through
DHCP. DHCP.
Requirement L7-6: VPN Awareness Requirement L7-6: VPN Awareness
The design of the GEOPRIV Layer 7 Location Configuration Protocol The design of the GEOPRIV Layer 7 Location Configuration Protocol
MUST assume that at least one end of a VPN is aware of the VPN MUST assume that at least one end of a VPN is aware of the VPN
functionality. In an enterprise scenario, the enterprise side functionality. In an enterprise scenario, the enterprise side
will provide the LIS used by the client and can thereby detect will provide the LS used by the client and can thereby detect
whether the LIS request was initiated through a VPN tunnel. whether the LS request was initiated through a VPN tunnel.
Requirement L7-7: Network Access Authentication Requirement L7-7: Network Access Authentication
The design of the GEOPRIV Layer 7 Location Configuration Protocol The design of the GEOPRIV Layer 7 Location Configuration Protocol
MUST NOT assume prior network access authentication. MUST NOT assume prior network access authentication.
Requirement L7-8: Network Topology Unawareness Requirement L7-8: Network Topology Unawareness
The design of the GEOPRIV Layer 7 Location Configuration Protocol The design of the GEOPRIV Layer 7 Location Configuration Protocol
MUST NOT assume end systems being aware of the access network MUST NOT assume end systems being aware of the access network
topology. End systems are, however, able to determine their topology. End systems are, however, able to determine their
public IP address(es) via mechanisms such as STUN [4] or NSIS public IP address(es) via mechanisms such as STUN [5] or NSIS
NATFW NSLP [19] . NATFW NSLP [14] .
10. Security Considerations
10.1. Capabilities of the Adversary
As common elsewhere, several kinds of attackers can be distinguished.
As always, Alice is the "good guy" and Trudy the attacker. Attackers
can be:
o off-path, i.e., it cannot see packets between Alice and the LIS;
o on-path, i.e., can see such packets.
On-path attackers may be:
o passive, i.e., can only observe;
o semi-active, i.e., can inject packets with a bogus IP address, but
cannot prevent the delivery of packets from the end system or
modify these packets;
o active, i.e., can inject and modify packets at will.
10.2. Threats
When the reference to location information is communicated to the
Location Recipient then on-path adversaries can eavesdrop the
signaling communication together with the reference. Furthermore,
the end-to-end communication might involve SIP proxies and they may
not be trustworthy. Hence, they can eavesdrop the reference and
misuse it (by resolving it).
Untrusted proxies that are involved in the communication lead to a
requirement for the Target to selectively grant access to already
known and trusted Location Recipients.
The following list presents threats specific to location information
handling:
Place-Shifting (PS):
Trudy pretends to be at an arbitrary location.
Time-Shifting (TS):
Trudy pretends to be at a location she was a while ago.
Location-Theft (LT):
Trudy observes Alice's location and replays it as her own location
object.
Location-Identity-Theft (LIT):
Trudy observes Alice's location and her identity (e.g., presence
identity) and replays it.
Location-Swapping (LS):
Trudy' and Trudy'', located at different locations, can collude
and swap location objects and pretend to be in each other's
location.
Table 1 shows the different threats and the applicability of proposed
countermeasures.
+----+----------+-----------+-----------+---------------+-----------+
| | Asserted | Timestamp | Encrypted | Authenticated | Location |
| | Location | | Location | Call | by |
| | | | | | Reference |
+----+----------+-----------+-----------+---------------+-----------+
| PS | X | - | - | Track | X |
| | | | | Offender | |
| | | | | | |
| TS | - | X | - | Track | Limits |
| | | | | Offender | Impact |
| | | | | | |
| LT | - | - | X | Track | - |
| | | | | Offender | |
| | | | | | |
| LI | - | - | X | - | - |
| T | | | | | |
| | | | | | |
| LS | - | Limits | - | Track | - |
| | | Impact | | Offender | |
+----+----------+-----------+-----------+---------------+-----------+
Table 1
Legend:
-: Functionality not necessary to accomplish the desired
functionality.
X: Functionality needed to prevent threat.
10.3. Requirements
The following requirements are placed on the location-by-value
approach:
o No conclusion was reached whether a PIDF-LO or just location
information has to be signed.
o No conclusion was reached whether location information should be
signed.
o No conclusion was reached what could be signed.
The following requirements are placed on the location-by-reference
approach:
o The reference MUST be valid for a limited amount of time.
o The reference MUST be hard to guess, i.e., it MUST contain a
cryptographically random component.
o The reference MUST NOT contain any information that identifies the Requirement L7-9: Discovery Mechanism
user, device or address of record
o The Location Recipient MUST be able to resolve the reference more The GEOPRIV Layer 7 Location Configuration Protocol MUST provide a
than once (i.e., there is no implicit limit on the number of mandatory-to-implement discovery mechanism.
dereferencing actions).
o Possessing a reference to location information allows a Location 7. Security Considerations
Recipient to repeately obtain the latest information about the
Target with the same granularity.
o The Target MUST be able to resolve the reference itself. This document addresses security aspect throughout the document.
11. IANA Considerations 8. IANA Considerations
This document does not require actions by IANA. This document does not require actions by IANA.
12. Contributors 9. Contributors
This contribution is a joint effort of the GEOPRIV Layer 7 Location This contribution is a joint effort of the GEOPRIV Layer 7 Location
Configuration Requirements Design Team of the Geopriv WG. The Configuration Requirements Design Team of the IETF GEOPRIV Working
contributors include Henning Schulzrinne, Barbara Stark, Marc Group. The contributors include Henning Schulzrinne, Barbara Stark,
Linsner, Andrew Newton, James Winterbottom, Martin Thomson, Rohan Marc Linsner, Andrew Newton, James Winterbottom, Martin Thomson,
Mahy, Brian Rosen, Jon Peterson and Hannes Tschofenig. Rohan Mahy, Brian Rosen, Jon Peterson and Hannes Tschofenig.
The design team members can be reached at: The design team members can be reached at:
Marc Linsner: mlinsner@cisco.com Marc Linsner: mlinsner@cisco.com
Rohan Mahy: rohan@ekabal.com Rohan Mahy: rohan@ekabal.com
Andrew Newton: andy@hxr.us Andrew Newton: andy@hxr.us
Jon Peterson: jon.peterson@neustar.biz Jon Peterson: jon.peterson@neustar.biz
skipping to change at page 34, line 35 skipping to change at page 22, line 5
Henning Schulzrinne: hgs@cs.columbia.edu Henning Schulzrinne: hgs@cs.columbia.edu
Barbara Stark: Barbara.Stark@bellsouth.com Barbara Stark: Barbara.Stark@bellsouth.com
Martin Thomson: Martin.Thomson@andrew.com Martin Thomson: Martin.Thomson@andrew.com
Hannes Tschofenig: Hannes.Tschofenig@siemens.com Hannes Tschofenig: Hannes.Tschofenig@siemens.com
James Winterbottom: James.Winterbottom@andrew.com James Winterbottom: James.Winterbottom@andrew.com
The authors would like to thank Barbara Stark for her 'Virtual 10. Acknowledgements
Private Network (VPN) Considerations' text proposal.
13. Acknowledgements
We would like to thanks the IETF GEOPRIV working group chairs, Andy We would like to thank the IETF GEOPRIV working group chairs, Andy
Newton, Allison Mankin and Randall Gellens, for creating this design Newton, Allison Mankin and Randall Gellens, for creating this design
team. Furthermore, we would like thank Andy Newton for his support team. Furthermore, we would like thank Andy Newton for his support
during the design team mailing list, the Jabber chat conference and during the design team mailing list, for setting up Jabber chat
the phone conference discussions. Finally, we would like to thank conferences and for participating in the phone conference
Murugaraj Shanmugam for his draft review. discussions.
14. References We would also like to thank Murugaraj Shanmugam, Ted Hardie, Martin
Dawson, Richard Barnes, James Winterbottom, Tom Taylor, Otmar Lendl,
Marc Linsner, Brian Rosen, Roger Marshall, Guy Caron, Doug Stuard,
Eric Arolick, Dan Romascanu, Jerome Grenier, Martin Thomson, Barbara
Stark, Michael Haberler for their WGLC review comments.
14.1. Normative References 11. References
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement 11.1. Normative References
Levels", RFC 2119, BCP 14, March 1997.
[2] Cuellar, J., Morris, J., Mulligan, D., Peterson, J., and J. [1] Cuellar, J., Morris, J., Mulligan, D., Peterson, J., and J.
Polk, "Geopriv Requirements", RFC 3693, February 2004. Polk, "Geopriv Requirements", RFC 3693, February 2004.
[2] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", RFC 2119, BCP 14, March 1997.
[3] Schulzrinne, H. and R. Marshall, "Requirements for Emergency [3] Schulzrinne, H. and R. Marshall, "Requirements for Emergency
Context Resolution with Internet Technologies", Context Resolution with Internet Technologies",
draft-ietf-ecrit-requirements-12 (work in progress), draft-ietf-ecrit-requirements-13 (work in progress),
August 2006. March 2007.
14.2. Informative References 11.2. Informative References
[4] Rosenberg, J., Weinberger, J., Huitema, C., and R. Mahy, "STUN [4] Marshall, R., "Requirements for a Location-by-Reference
Mechanism used in Location Configuration and Conveyance",
draft-marshall-geopriv-lbyr-requirements-01 (work in progress),
March 2007.
[5] Rosenberg, J., Weinberger, J., Huitema, C., and R. Mahy, "STUN
- Simple Traversal of User Datagram Protocol (UDP) Through - Simple Traversal of User Datagram Protocol (UDP) Through
Network Address Translators (NATs)", RFC 3489, March 2003. Network Address Translators (NATs)", RFC 3489, March 2003.
[5] Aboba, B., "Link-local Multicast Name Resolution (LLMNR)", [6] Aboba, B., "Link-local Multicast Name Resolution (LLMNR)",
draft-ietf-dnsext-mdns-47 (work in progress), August 2006. draft-ietf-dnsext-mdns-47 (work in progress), August 2006.
[6] Cheshire, S. and M. Krochmal, "Multicast DNS", [7] Cheshire, S. and M. Krochmal, "Multicast DNS",
draft-cheshire-dnsext-multicastdns-06 (work in progress), draft-cheshire-dnsext-multicastdns-06 (work in progress),
August 2006. August 2006.
[7] Moskowitz, R., "Host Identity Protocol", draft-ietf-hip-base-06 [8] Moskowitz, R., "Host Identity Protocol", draft-ietf-hip-base-07
(work in progress), June 2006. (work in progress), February 2007.
[8] Aura, T., "Cryptographically Generated Addresses (CGA)", [9] Aura, T., "Cryptographically Generated Addresses (CGA)",
RFC 3972, March 2005. RFC 3972, March 2005.
[9] Aboba, B., Beadles, M., Arkko, J., and P. Eronen, "The Network [10] Aboba, B., Beadles, M., Arkko, J., and P. Eronen, "The Network
Access Identifier", RFC 4282, December 2005. Access Identifier", RFC 4282, December 2005.
[10] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote [11] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote
Authentication Dial In User Service (RADIUS)", RFC 2865, Authentication Dial In User Service (RADIUS)", RFC 2865,
June 2000. June 2000.
[11] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. Arkko, [12] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. Arkko,
"Diameter Base Protocol", RFC 3588, September 2003. "Diameter Base Protocol", RFC 3588, September 2003.
[12] Lemon, T. and B. Sommerfeld, "Node-specific Client Identifiers [13] Lemon, T. and B. Sommerfeld, "Node-specific Client Identifiers
for Dynamic Host Configuration Protocol Version Four (DHCPv4)", for Dynamic Host Configuration Protocol Version Four (DHCPv4)",
RFC 4361, February 2006. RFC 4361, February 2006.
[13] Mahy, R., "A Document Format for Filtering and Reporting [14] Stiemerling, M., "NAT/Firewall NSIS Signaling Layer Protocol
Location Notications in the Presence Information Document (NSLP)", draft-ietf-nsis-nslp-natfw-14 (work in progress),
Format Location Object (PIDF-LO)", March 2007.
draft-ietf-geopriv-loc-filters-00 (work in progress),
March 2006.
[14] Polk, J. and B. Rosen, "Session Initiation Protocol Location
Conveyance", draft-ietf-sip-location-conveyance-06 (work in
progress), January 2007.
[15] Hardie, T., "LoST: A Location-to-Service Translation Protocol",
draft-ietf-ecrit-lost-02 (work in progress), October 2006.
[16] Peterson, J., "A Presence-based GEOPRIV Location Object [15] Peterson, J., "A Presence-based GEOPRIV Location Object
Format", RFC 4119, December 2005. Format", RFC 4119, December 2005.
[16] Hardie, T., "LoST: A Location-to-Service Translation Protocol",
draft-ietf-ecrit-lost-05 (work in progress), March 2007.
[17] Peterson, J. and C. Jennings, "Enhancements for Authenticated [17] Peterson, J. and C. Jennings, "Enhancements for Authenticated
Identity Management in the Session Initiation Protocol (SIP)", Identity Management in the Session Initiation Protocol (SIP)",
RFC 4474, August 2006. draft-ietf-sip-identity-06 (work in progress), October 2005.
[18] Peterson, J. and C. Jennings, "Enhancements for Authenticated [18] Peterson, J. and C. Jennings, "Enhancements for Authenticated
Identity Management in the Session Initiation Protocol (SIP)", Identity Management in the Session Initiation Protocol (SIP)",
draft-ietf-sip-identity-06 (work in progress), October 2005. RFC 4474, August 2006.
[19] Stiemerling, M., "NAT/Firewall NSIS Signaling Layer Protocol
(NSLP)", draft-ietf-nsis-nslp-natfw-13 (work in progress),
October 2006.
[20] Schulzrinne, H., "Common Policy: A Document Format for
Expressing Privacy Preferences",
draft-ietf-geopriv-common-policy-11 (work in progress),
August 2006.
[21] Schulzrinne, H., "Geolocation Policy: A Document Format for
Expressing Privacy Preferences for Location Information",
draft-ietf-geopriv-policy-09 (work in progress), December 2006.
Authors' Addresses Authors' Addresses
Hannes Tschofenig Hannes Tschofenig
Siemens Networks GmbH & Co KG Nokia Siemens Networks
Otto-Hahn-Ring 6 Otto-Hahn-Ring 6
Munich, Bavaria 81739 Munich, Bavaria 81739
Germany Germany
Phone: +49 89 636 40390 Phone: +49 89 636 40390
Email: Hannes.Tschofenig@siemens.com Email: Hannes.Tschofenig@siemens.com
URI: http://www.tschofenig.com URI: http://www.tschofenig.com
Henning Schulzrinne Henning Schulzrinne
Columbia University Columbia University
 End of changes. 85 change blocks. 
753 lines changed or deleted 161 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/