1. Protecting First-Level Responder Resources in an IP-based Emergency Services Architecture 13 th April 2007, THE FIRST INTERNATIONAL WORKSHOP ON RESEARCH CHALLENGES IN NEXT GENERATION NETWORKS FOR FIRSTRESPONDERS AND CRITICAL INFRASTRUCTURES’; IN CONJUNCTION WITH IEEE IPCCC 2007, NEW ORLEANS, LOUISIANA, APRIL 11-13. Hannes Tschofenig, Henning Schulzrinne, Murugaraj Shanmugam, Andrew Newton

2. Scope  Citizen-to-Authority Emergency Services

3. Threat Models (1)  External adversary model: The target, e.g., an emergency caller whose location is going to be communicated, is honest and the adversary may be located between the target and the location server or between the target and the PSAP. None of the emergency service infrastructure elements act maliciously.

4. Threat Models (2)  Malicious emergency infrastructure adversary model: The emergency call routing elements, such as the location server, the LoST infrastructure or call routing elements, are malicious.

5. Threat Models (3)  Malicious target adversary model: The target itself acts maliciously. This adversary model is in the main focus of the subsequent solution approaches.

6. Overview  The chosen architecture impacts security.  Focus on PSAP resource exhaustion: 1.Location Spoofing 2.Call Identity Spoofing

7. Location Spoofing Threats  Place Shifting: Trudy, the adversary, pretends to be at an arbitrary location.  Time Shifting: Trudy pretends to be at a location she was a while ago.  Location Theft: Trudy observes Alice’s location and replays it as her own.  Location Swapping: Trudy and Malory, located in different locations, can collude and swap location information and pretend to be in each other’s location.

8. Location Spoofing Solution Approaches  Placement of SIP Proxy in the Access Network  Location by Reference  Location Signing

9. PSAP / Call Taker Mapping Server SIP proxy SOS caller (3)Location Location + Service Identifier (4) PSAP URI (5) INVITE urn:service:sos To: urn:service:sos (2) INVITE PSAP URI To: urn:service:sos (6) (1) dial dialstring LIS Placement of SIP Proxy in the Access Network  Deployment challenge  Security between SIP Proxy & PSAP: Increased number of proxies => trust problems  Does not help with the identity aspect (unless an IMS like system is used)

10. LIS SIP proxy PSAP / Call Taker Request Location Reference (2) Reference (3) INVITE PSAP URI To: urn:service:sos (5) INVITE PSAP URI To: urn:service:sos (6) (4) dial dialstring Location Reference  SIP Proxy does not need to be in the access network  PSAP contacts LIS and authenticates him.  Increased number of LIS => trust problems SOS caller Dereference (7) (8)

11. LIS SIP proxy PSAP / Call Taker Request Signed Location (2) Signed Location (3) INVITE PSAP URI To: urn:service:sos (5) INVITE PSAP URI To: urn:service:sos (6) (4) dial dialstring Location Signing  SIP Proxy does not need to be in the access network  PSAP verifies signed location object  Solution technically more challenging SOS caller

12. Identity Spoofing  Solution to Identity Spoofing: Authenticated Emergency Calls  Authenticated identity useful for Post-Mortem analysis (if the identity can be linked to a real-world entity)  Two types of identities:  Authentication at the ISP/ASP  Authentication at the VSP  Identities can appear in various flavors:  P-Asserted Identity  SIP Identity / SIP SAML  End-to-End Security  Ease of deployment: Provider asserted identity  Does not work nicely with unauthenticated networks* * If unauthenticated also refers to unauthenticated SIP emergency calls rather than plain unauthenticated network access.

13. Summary

14. Conclusion  Various solution proposals have been discussed for some time.  Unfortunately, a proper model for evaluation is missing to determine the tradeoff between complexity vs. benefits.  Input from the research community is appreciated.  Join the ECRIT & GEOPRIV mailing list: http://www.ietf.org/html.charters/ecrit-charter.html http://www.ietf.org/html.charters/geopriv-charter.html