12th April 2007, SDO Emergency Services Workshop 2007

Slides:



Advertisements
Similar presentations
March 2008IETF 71 (Philadelphia) - ECRIT1 Unauthenticated emergency communications Henning Schulzrinne Gabor Bajko S. McCann Hannes Tschofenig draft-schulzrinne-ecrit-unauthenticated-access-02.
Advertisements

ECRIT Direct Calling draft-winterbottom-ecrit-direct-01 James Winterbottom, Martin Thomson, Hannes Tschofenig, Henning Schulzrinne 1draft-winterbottom-ecrit-direct-01.
Internet Standards- Emergency Services Hannes Tschofenig Mail comments to and/or
Emergency Services in PacketCable TM 2.0 Sandeep Sharma Senior Architect, Signaling Protocols SDO Emergency Services Coordination Workshop, Columbia University,
1 3GPP2 IP Based Emergency Calls IETF/3GPP Hosted SDO Emergency Services Coordination Workshop Columbia University, New York 5-6 October, 2006 Deb Barclay.
1 5 th SDO Emergency Services Workshop October 2008 “sos” URI parameter for marking emergency requests Milan Patel 5 th SDO Emergency Services Workshop.
Out of Jurisdiction Emergency Routing draft-winterbottom-ecrit-priv-loc-01.txt James Winterbottom, Hannes Tschofenig, Laura Liess.
Risks with IP-based Emergency Services draft-ietf-ecrit-trustworthy-location.
STIR Secure Telephone Identity. Context and drivers STIR Working Group Charter Problem Statement Threats Status of work Related work and links Introduction.
Origins of ECRIT IETF has been working on location since 2000 –Spatial BoF, eventually GEOPRIV chartered in 2001 GEOPRIV provides location information.
Emergency Services IAB Tech Chat 28 th February 2007 Hannes Tschofenig.
9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.
Trustworthy Location Information draft-tschofenig-ecrit-trustworthy- location draft-tschofenig-ecrit-trustworthy- location Hannes Tschofenig, Henning Schulzrinne.
The Next Generation Proof-of-Concept System.
March 2006IETF65 - ECRIT1 Emergency Service Identifiers draft-ietf-ecrit-service-urn-01 Henning Schulzrinne Columbia University
Proxy Authentication of the Emergency Status of SIP Calls draft-barnes-ecrit-auth-00 Richard Barnes IETF 69, Chicago, IL, USA.
Location Hiding: Problem Statement, Requirements, (and Solutions?) Richard Barnes IETF 71, Philadelphia, PA, USA.
SDO Emergency Services Coordination Workshop (ESW06) Report Hannes Tschofenig IETF 67, San Diego, November 2006.
ECRIT interim meeting - May Security Threats and Requirements for Emergency Calling draft-tschofenig-ecrit-security-threats Hannes Tschofenig Henning.
Ernst Langmantel Technical Director, Austrian Regulatory Authority for Broadcasting and Telecommunication (RTR GmbH) The opinions expressed in this presentation.
SIP Authorization Framework Use Cases Rifaat Shekh-Yusef, Jon Peterson IETF 91, SIPCore WG Honolulu, Hawaii, USA November 13,
1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Emergency calls related work done in IETF Gabor Bajko May 22, 2006.
ESW – May 2010 UK Architecture for VoIP 999/112s John Medland – BT 999/112 Policy Manager.
NENA Next Generation Architecture
Overview of SIP Forum Video Relay Service (VRS) Initiative Brian Rosen Task Group Chair Spencer Dawkins SIP Forum Technical Director.
Architectural Considerations for GEOPRIV/ECRIT Presentation given by Hannes Tschofenig.
Status and Development of VoIP based emergency calls Alexander Mayrhofer, nic.at GmbH The 1st European Security and Safety Summit Brussels, June 2007.
Emergency Context Resolution with Internet Technologies (ecrit) IETF 81 – Quebec City, QC Canada July 25, 2011 Marc Linsner Richard Barnes Roger Marshall.
Draft-rosen-ecrit-emergency- framework-00 Brian Rosen NeuStar CPa
1 Location Hiding Henning Schulzrinne Laura Liess Hannes Tschofenig.
A Routing Extension for HELD draft-winterbottom-ecrit-priv-loc-04 James Winterbottom Hannes Tschofenig Laura Liess.
November 2005IETF64 - ECRIT1 Emergency Service Identifiers draft-ietf-sipping-sos-01 draft-schulzrinne-sipping-service-01 Henning Schulzrinne Columbia.
1 911 Background  Traditional 911 ~6,000 PSAPs in the US Selective routers route calls to correct PSAP –Operated by carriers –Relies on DB of fixed subscriber.
SAML for SIP Hannes Tschofenig, Jon Peterson, James Polk, Douglas Sicker, Marcus Tegnander.
Emergency Context Resolution with Internet Technologies BOF (ecrit) Jon Peterson, Hannes Tschofenig BOF Chairs.
Protecting First-Level Responder Resources in an IP-based Emergency Services Architecture 13 th April 2007, THE FIRST INTERNATIONAL WORKSHOP ON RESEARCH.
1 Presented by Jim Nixon, Breakout Session Moderator December 15, 2005 Report from Breakout Session #2 Individuals/Organizations to Government.
Doc.: IEEE /1723r0 Submission November 2006 Stephen McCann, Hannes Tschofenig (Siemens)Slide 1 Summary of Emergency Services Workshop Notice:
ECRIT IETF 70 December 2007 Vancouver Hannes Tschofenig Marc Linsner Roger Marshall.
Security Threats and Requirements for Emergency Calling draft-tschofenig-ecrit-security-threats-01.txt Hannes Tschofenig, Henning Schulzrinne, Murugaraj.
Internet Real-Time Lab, Columbia University NG9-1-1 Prototype Demo Jong Yul Kim, Wonsang Song, and Henning Schulzrinne.
Extensions to the Emergency Services Architecture for dealing with Unauthenticated and Unauthorized Devices draft-ietf-ecrit-unauthenticated-access-03.txt.
Emergency Context Resolution with Internet Technologies (ecrit) Hannes Tschofenig, Marc Linser Chairs.
Emergency Context Resolution with Internet Technologies (ecrit) Hannes Tschofenig, Marc Linsner IETF 66, Montreal, June 2006.
Company LOGO OMA Presence SIMPLE. What is OMA? The Open Mobile Alliance (OMA) is a standards body which develops open standards for the mobile phone industry.
Jim McEachern Senior Technology Consultant ATIS July 8, 2015.
ECRIT WG IETF-75 Trustworthy Location Bernard Aboba
Technical Standards: Paving the Way to NG9-1-1
Understanding & Defining Additional Data Interfaces in NG9-1-1
IEEE 802 wide project on Emergency Services
Location Configuration at Layer 7
Hannes Tschofenig, Henning Schulzrinne, Bernard Aboba
OmniRAN Introduction and Way Forward
Henning Schulzrinne Stephen McCann Gabor Bajko Hannes Tschofenig
draft-ietf-ecrit-rough-loc
Emergency Service Identifiers draft-ietf-ecrit-service-urn-01
Hannes Tschofenig Henning Schulzrinne M. Shanmugam
Global Standards Collaboration (GSC) 14 Security and Lawful Intercept
ATIS Emergency Communications (EC) Standards Development
IEEE IETF Liaison Report
Emergency call assurance
IEEE IETF Liaison Report
OmniRAN Introduction and Way Forward
The Next Generation Proof-of-Concept System
SDO Emergency Services Coordination Workshop
IEEE IETF Liaison Report
IEEE IETF Liaison Report
Policy Implications on Complexity of Standards and Systems
SHAKEN for Presented to: Ericsson Contact:
Marc Linsner Richard Barnes Roger Marshall
Presentation transcript:

Security: Is the next generation emergency service infrastructure less secure? 12th April 2007, SDO Emergency Services Workshop 2007 Hannes Tschofenig (moderator)

Panel Members Richard Barnes James Winterbottom Stephen Edge Hannes Tschofenig (moderator)

Bio’s Richard Barnes Richard Barnes received a B.S. in Mathematics and Computer Science from the University of Virginia, and an M.S. in Mathematics the following year. His expertise is in applications of security technologies in a wide variety of areas. Before completing his degrees, he conducted cryptographic research for the U.S. Department of Defense, and since 2005, he has worked on BGP and VoIP security at BBN, a small research and development company. Since a few months before IETF 66 in July 2006, Mr. Barnes has participated in VoIP-relevant working groups in the IETF (especially ECRIT and GEOPRIV), and in the recent RTPSEC discussions. James Winterbottom James Winterbottom has over 20 years experience in the telecommunications industry. James has had extensive experience in the specification, deployment and support of E911 and value added cellular location systems in the north America and throughout the world. James has been active in the IETF Geopriv and ECRIT working groups for several years and is the co- chair for the VoIP Location Working group in NENA. Stephen Edge Stephen Edge coordinates Location Services standards at Qualcomm. He is a participant and contributor to location services and emergency call support in ATIS WTSC (former T1P1) and 3GPP since 1998 and to location services and emergency call support in OMA since 2005. Hannes Tschofenig (moderator) Hannes Tschofenig received a University Diploma in Computer Science from University of Klagenfurt, Austria in 2001. He then joined the Siemens research labs and worked in the corporate technology research labs in Munich until 2006. Starting with April 2007 he is employed as a Senior Research Scientist at Nokia Siemens Networks. His primary research interests are in network security, with a focus on mobile communications. He is chairing the IETF Emergency Context Resolution with Internet Technologies (ecrit), IETF Diameter Maintenance and Extensions (dime) and the IETF Provisioning of Symmetric Keys (keyprov) working groups. He is author/co-author of a number of RFCs and various papers.

Overview Fact: The chosen architecture impacts security. Focus on PSAP resource exhaustion: Attacks due to faked location Attacks due to faked identity

Faked Location Useful for “Real-Time Security Analysis” (ranking under heavy load) Discussed solutions: Placement of SIP Proxy in the Access Network Location by Reference Location Signing

Placement of SIP Proxy in the Access Network PSAP / Call Taker LIS (4) Mapping Server (5) Location + Service Identifier PSAP URI (3) Location (6) (1) (2) INVITE urn:service:sos To: urn:service:sos INVITE PSAP URI To: urn:service:sos <PIDF-LO Reference> dial dialstring SOS caller SIP proxy Deployment challenge Security between SIP Proxy & PSAP: Increased number of proxies => trust problems Does not help with the identity aspect (unless an IMS like system is used)

Location Reference SIP Proxy does not need to be in the access network Request Location Reference (2) (8) Reference (3) PSAP / Call Taker Dereference LIS (7) (4) dial dialstring INVITE PSAP URI To: urn:service:sos <Reference> INVITE PSAP URI To: urn:service:sos <Reference> SOS caller (5) (6) SIP proxy SIP Proxy does not need to be in the access network PSAP contacts LIS and authenticates him. Increased number of LIS => trust problems

Location Signing SIP Proxy does not need to be in the access network Request Signed Location (2) Signed Location (3) PSAP / Call Taker LIS (4) dial dialstring INVITE PSAP URI To: urn:service:sos <Reference> INVITE PSAP URI To: urn:service:sos <Reference> SOS caller (5) (6) SIP proxy SIP Proxy does not need to be in the access network PSAP verifies signed location object Solution technically more challenging

Faked Identity Useful for Post-Mortem analysis (if the identity can be linked to a real-world entity) Identities can appear in various flavors: P-Asserted Identity SIP Identity / SIP SAML End-to-End Security Ease of deployment: Provider asserted identity Does not work nicely with unauthenticated networks* * If unauthenticated also refers to unauthenticated SIP emergency calls rather than plain unauthenticated network access.

Questions Do PSAP operators accept an emergency call with signed location but without an authenticated identity? Do PSAP operators accept an authenticated emergency call without an signed location? How large is this problem already today with bogus calls? Via pay phones Via uninitialized phones / Unauthenticated network access Are statistics available?

Is the next generation emergency service infrastructure less secure? Solutions could even provide better security than today’s networks. However, solutions raise a number of questions (particularly with respect to the deployment) There is no free lunch!