| ECRIT | H. Schulzrinne |
| Internet-Draft | Columbia University |
| Intended status: Experimental Protocol | H. Tschofenig |
| Expires: January 09, 2013 | Nokia Siemens Networks |
| July 10, 2012 |
Synchronizing Location-to-Service Translation (LoST) Protocol based Service Boundaries and Mapping Elements
draft-ietf-ecrit-lost-sync-18.txt
The Location-to-Service Translation (LoST) protocol is an XML-based protocol for mapping service identifiers and geodetic or civic location information to service URIs and service boundaries. In particular, it can be used to determine the location-appropriate Public Safety Answering Point (PSAP) for emergency services.
The <mapping> element is used to encapsulate information about service boundaries is defined in the LoST protocol specification and circumscribes the region within which all locations map to the same service Uniform Resource Identifier (URI) or set of URIs for a given service.
This document defines an XML protocol to exchange these mappings between two nodes. This mechanism is designed for the exchange of authoritative <mapping> elements between two entities. Exchanging cached <mapping> elements, i.e. non-authoritative elements, is possible but not envisioned. In any case, this document can also be used without the LoST protocol even though the format of the <mapping> element is re-used from the LoST specification.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 09, 2013.
Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
Since the early days of emergency services there has been a desire to route emergency calls to Public Safety Answering Points (PSAPs) that are nearest to the location of the emergency caller. For this purpose each PSAP discloses one or multiple service boundaries so that this information can be used to select the appropriate PSAP and to route the call to it. RFC 5222 [RFC5222] defines this data structure in the following way:
RFC 5222 [RFC5222] not only defines the term but it also specifies the data structure itself: the <mapping> element.
This document re-uses this existing data structure and defines an XML-based protocol to exchange authoritative service boundaries between two entities (the LoST Sync source and the LoST Sync destination). This protocol can be used with and without the actual LoST protocol.
The rest of the document is structured as follows: Section 3 starts with an example usage of the LoST protocol. In Section 4, Section 5, Section 6, and Section 7 we describe the protocol semantics, transport considerations and the schema. Finally, we conclude with operational and security considerations in Section 8, and in Section 9.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
This document reuses terminology introduced by the mapping architecture document [RFC5582], such as 'coverage region', 'forest guide', 'mapping', 'authoritative mapping server', and 'ESRP'.
Throughout this document we use the term LoST Sync source and LoST Sync destination to denote the protocol end points of the exchange. The protocol is referred as LoST Sync within the text.
The LoST Sync mechanism can, for example, be used in the LoST architecture, as specified in the [RFC5582]. There, LoST servers act in different roles that cooperate to provide an ubiquitous, globally scalable and resilient mapping service. In the LoST mapping architecture, LoST servers can peer, i.e., have an on-going data exchange relationship. Peering relationships are set up manually, based on local policies. A LoST server may peer with any number of other LoST servers. Forest guides peer with other forest guides; authoritative mapping servers peer with forest guides and other authoritative servers, either in the same cluster or above or below them in the tree. Authoritative mapping servers push coverage regions "up" the tree, i.e., from child nodes to parent nodes. The child informs the parent of the geospatial or civic region that it covers for a specific service.
Consider a hypothetical deployent of LoST in two countries, for example Austria and Finland. Austria, in our example, runs three authoritative mapping servers labeled as 'East', 'West' and 'Vienna' whereby the former two cover the entire country expect for Vienna, which is covered by a separate LoST server. There may be other caching LoST servers run by ISPs, universities, and VSPs but they are not relevant for this illustration. Finland, on the other hand, decided to only deploy a single LoST server that also acts as a Forest Guide. For this simplistic illustration we assume that only one service is available, namely 'urn:service:sos' since otherwise the number of stored mappings would have to be multiplied by the number of used services.
+---LoST-Sync-->\\ //<--LoST-Sync----+
| ----- |
| |
\/ \/
----- -----
// \\ // \\
/ \ / \
| Forest | | Forest |
| Guide | | Guide |
| Austria | | Finland
\ / \ /
+--------->\\ //<--------+ \\ //
| ----- | -----
| /\ | |
LoST | LoST //------\\
Sync LoST Sync |Co-Located|
| Sync | | LoST |
\/ | \/ | Server |
//----\\ \/ //----\\ \\------//
| LoST | //----\\ | LoST |
| Server | | LoST | | Server |
| (East) | | Server | |(Vienna)|
\\----// | (West) | \\----//
\\----//
Figure 1 shows the example deployment.
<mapping
xmlns="urn:ietf:params:xml:ns:lost1"
xmlns:gml="http://www.opengis.net/gml"
expires="2009-01-01T01:44:33Z"
lastUpdated="2009-12-01T01:00:00Z"
source="east-austria.lost-example.com"
sourceId="e8b05a41d8d1415b80f2cdbb96ccf109">
<displayName xml:lang="en">LoST Server 'East'</displayName>
<service>urn:service:sos</service>
<serviceBoundary profile="geodetic-2d">
<gml:Polygon srsName="urn:ogc:def::crs:EPSG::4326">
<gml:exterior>
<gml:LinearRing>
<gml:pos> ... </gml:pos>
..... list of coordinates for
boundary of LoST server 'East'
<gml:pos> ... </gml:pos>
</gml:LinearRing>
</gml:exterior>
</gml:Polygon>
</serviceBoundary>
<uri/>
</mapping>
<mapping xmlns="urn:ietf:params:xml:ns:lost1"
expires="2007-01-01T01:44:33Z"
lastUpdated="2006-11-01T01:00:00Z"
source="finland.lost-example.com"
sourceId="7e3f40b098c711dbb6060800200c9a66">
<displayName xml:lang="en">Finland ESRP</displayName>
<service>urn:service:sos</service>
<serviceBoundary profile="civic">
<civicAddress
xmlns="urn:ietf:params:xml:ns:pidf:geopriv10:civicAddr">
<country>FI</country>
</civicAddress>
</serviceBoundary>
<uri/>
</mapping>
<mapping xmlns="urn:ietf:params:xml:ns:lost1"
expires="2007-01-01T01:44:33Z"
lastUpdated="2006-11-01T01:00:00Z"
source="finland.lost-example.com"
sourceId="7e3f40b098c711dbb6060800200c9a66">
<displayName xml:lang="en">Finland ESRP</displayName>
<service>urn:service:sos</service>
<serviceBoundary profile="civic">
<civicAddress
xmlns="urn:ietf:params:xml:ns:pidf:geopriv10:civicAddr">
<country>FI</country>
</civicAddress>
</serviceBoundary>
<uri>sip:esrp@finland-example.com</uri>
<uri>xmpp:esrp@finland-example.com</uri>
<serviceNumber>112</serviceNumber>
</mapping>
The configuration of these nodes would therefore be as follows:
The LoST sync mechanism described in this document could be run between the two Forest Guides. Thereby, the three mappings stored in the Austria FG are sent to the FG Finland and a single mapping in the FG Finland is sent to the FG Austria. Additionally, the three Austrian LoST servers could utilize LoST sync to inform the Austrian FG about their boundaries. These three authoritative mapping servers in Austria would be responsible to maintain their own mapping information. Since the amount of data being exchanged is small and the expected rate of change is low the nodes are configured to always exchange all their mapping information whenever a change happens.
This document defines two types of exchanges and those are best described by the exchange between two nodes as shown in Figure 5 and Figure 6. The protocol exchange always runs between a LoST Sync source and a LoST Sync destination. Node A in the examples of Figure 5 and Figure 6 has mappings that Node B is going to retrieve. Node A acts as the source for the data and Node B is the destination.
+---------+ +---------+
| Node B | | Node A |
| acting | | acting |
| as | | as |
| LoST | | LoST |
| Sync | | Sync |
| Dest. | | Source |
+---------+ +---------+
| |
| |
| |
| <getMappingsRequest> |
|----------------------------->|
| |
| <getMappingsResponse> |
|<-----------------------------|
| |
| |
| |
The <getMappingsRequest> request allows a LoST Sync source to request mappings from a LoST Sync destination.
Note that in the exchange illustrated in Figure 5 Node B is issuing the first request and plays the role of the HTTPS client and Node A plays the role of the HTTPS server.
The <pushMappingsRequest> exchange allows a LoST Sync source to push mappings to LoST Sync destination. In this example we assume that Node A has been configured maintain state about the mappings it had pushed to Node B.
No publish/subscribe mechanism is defined in this document that would allow Node B to tell Node A about what mappings it is interested in nor a mechanism for learning to which entities mappings have to be pushed.
+---------+ +---------+
| Node A | | Node B |
| acting | | acting |
| as | | as |
| LoST | | LoST |
| Sync | | Sync |
| Source | | Dest. |
+---------+ +---------+
| |
| |
| |
| <pushMappingsRequest> |
|----------------------------->|
| |
| <pushMappingsResponse> |
|<-----------------------------|
| |
| |
| |
Node A issuing the first request in Figure 6 plays the role of the HTTPS client and Node B plays the role of the HTTPS server.
A LoST Sync destination has two ways to retrieve mapping elements from a LoST Sync source.
In response to the <getMappingsRequest> message the LoST Sync destination waits for the <getMappingsResponse> message. In case of a successful response the LoST Sync destination stores the received mappings and determines which mappings to update.
When a LoST Sync source receives an empty <getMappingsRequest> message then all locally available mappings MUST be returned.
When a LoST Sync source receives a <getMappingsRequest> message with one or multiple <exists> child element(s) then it MUST consult with the local mapping database to determine whether any of the mappings of the client is stale and whether there are mappings locally that the client does not yet have. The former can be determined by finding mappings corresponding to the 'source' and 'sourceID' attribut where a mapping with a more recent lastUpdated date exists.
Processing a <getMappingsRequest> message MAY lead to a successful response in the form of a <getMappingsResponse> or an <errors> message. Only the <badRequest>, <forbidden>, <internalError>, <serverTimeout> errors, defined in [RFC5222], are utilized by this specification. Neither the <redirect> nor the <warnings> messages are reused by this message.
<?xml version="1.0" encoding="UTF-8"?> <getMappingsRequest xmlns="urn:ietf:params:xml:ns:lostsync1"/>
The first example shows an empty <getMappingsRequest> message that would retrieve all locally stored mappings at the LoST Sync source.
A further example request is shown in Figure 8 and the corresponding response is depicted in Figure 9. In this example the <getMappingsRequest> element contains information about the mapping that is locally available to the client inside the <mapping-fingerprint> element (with source="authoritative.bar.example", sourceId="7e3f40b098c711dbb6060800200c9a66", and lastUpdated="2006-11-01T01:00:00Z"). The query asks for mappings that are more recent than the available one as well as any missing mapping.
<?xml version="1.0" encoding="UTF-8"?>
<getMappingsRequest xmlns="urn:ietf:params:xml:ns:lostsync1">
<exists>
<mapping-fingerprint source="authoritative.bar.example"
sourceId="7e3f40b098c711dbb6060800200c9a66"
lastUpdated="2006-11-01T01:00:00Z">
</mapping-fingerprint>
</exists>
</getMappingsRequest>
The response to the above request is shown in Figure 9. A more recent mapping was available with the identification of source="authoritative.bar.example" and sourceId="7e3f40b098c711dbb6060800200c9a66". Only one mapping that matched source="authoritative.foo.example" was found and returned.
<?xml version="1.0" encoding="UTF-8"?>
<sync:getMappingsResponse
xmlns:sync="urn:ietf:params:xml:ns:lostsync1"
xmlns="urn:ietf:params:xml:ns:lost1"
xmlns:gml="http://www.opengis.net/gml">
<mapping source="authoritative.bar.example"
sourceId="7e3f40b098c711dbb6060800200c9a66"
lastUpdated="2008-11-26T01:00:00Z"
expires="2009-12-26T01:00:00Z">
<displayName xml:lang="en">Leonia Police Department
</displayName>
<service>urn:service:sos.police</service>
<serviceBoundary
profile="urn:ietf:params:lost:location-profile:basic-civic">
<civicAddress
xmlns="urn:ietf:params:xml:ns:pidf:geopriv10:civicAddr">
<country>US</country>
<A1>NJ</A1>
<A3>Leonia</A3>
<PC>07605</PC>
</civicAddress>
</serviceBoundary>
<uri>sip:police@leonianj2.example.org</uri>
<serviceNumber>911</serviceNumber>
</mapping>
<mapping expires="2009-01-01T01:44:33Z"
lastUpdated="2008-11-01T01:00:00Z"
source="authoritative.foo.example"
sourceId="7e3f40b098c711dbb606011111111111">
<displayName xml:lang="en">New York City Police Department
</displayName>
<service>urn:service:sos.police</service>
<serviceBoundary profile="geodetic-2d">
<gml:Polygon srsName="urn:ogc:def::crs:EPSG::4326">
<gml:exterior>
<gml:LinearRing>
<gml:pos>37.775 -122.4194</gml:pos>
<gml:pos>37.555 -122.4194</gml:pos>
<gml:pos>37.555 -122.4264</gml:pos>
<gml:pos>37.775 -122.4264</gml:pos>
<gml:pos>37.775 -122.4194</gml:pos>
</gml:LinearRing>
</gml:exterior>
</gml:Polygon>
</serviceBoundary>
<uri>sip:nypd@example.com</uri>
<uri>xmpp:nypd@example.com</uri>
<serviceNumber>911</serviceNumber>
</mapping>
</sync:getMappingsResponse>
When a LoST Sync source obtains new information that is of interest to its peers, it may push the new mappings to its peers. Configuration settings at both peers decide whether this functionality is used and what mappings are pushed to which other peers. New mappings may arrive through various means, such as a manual addition to the local mapping database, or through the interaction with other entities. Deleting mappings may also trigger a protocol interaction.
The LoST Sync source SHOULD keep track of which LoST Sync destination it has pushed mapping elements. If it does not keep state information then it always has to push the complete data set. As discussed in Section 5.1 of [RFC5222], mapping elements are identified by the 'source', 'sourceID' and 'lastUpdated' attributes. A mapping is considered the same if these three attributes match.
A <pushMappings> request sent by a LoST Sync source MUST containing one or more <mapping> elements.
To delete a mapping, the content of the mapping is left empty, i.e. the <mapping> element only contains the 'source', 'sourceID', 'lastUpdated', and 'expires" attribute. Figure 12 shows an example request where the mapping with the source="nj.us.example", sourceId="123", lastUpdated="2008-11-01T01:00:00Z", expires="2008-11-01T01:00:00Z" is requested to be deleted. Note that the 'expires' attribute is required per schema definition but will be ignored in processing the request on the receiving side. A sync source may want to delete the mapping from its internal mapping database, but has to remember which peers it has distributed this update to unless it has other ways to ensure that databases do not get out of sync.
When a LoST Sync destination receives a <pushMappingsRequest> message then the cache with the existing mappings is inspected to determine whether the received mapping should lead to an update of an already existing mapping, should create a new mapping in the cache, or should be discarded.
If a newly received mapping has a more recent time in its 'lastUpdated' attribute, it MUST update an existing mapping that has matching 'source' and 'sourceID' attributes.
If the received mapping does not match with any existing mapping based on the 'source' and 'sourceId' then it MUST be added to the local cache as an independent mapping.
If a <pushMappingsRequest> message with an empty <mapping> element is received then a corresponding mapping has to be determined based on the 'source', and the 'sourceID'.
If no mapping can be identified then an <errors> response MUST be returned that contains the <notDeleted> child element. The <notDeleted> element MAY contain a 'message' attribute with an error description used for debugging purposes. The <notDeleted> element MUST contain the <mapping> element(s) that caused the error.
The response to a <pushMappingsRequest> request is a <pushMappingsResponse> message. With this specification, a successful response message returns no additional elements, whereas an <errors> response is returned in the response message, if the request failed. Only the <badRequest>, <forbidden>, <internalError> or <serverTimeout> errors defined in Section 13.1 of [RFC5222], are used. The <redirect> and <warnings> messages are not used for this query/response.
If the set of nodes that are synchronizing their data does not form a tree, it is possible that the same information arrives through several other nodes. This is unavoidable, but generally only imposes a modest overhead. (It would be possible to create a spanning tree in the same fashion as IP multicast, but the complexity does not seem warranted, given the relatively low volume of data.)
source="authoritative.example" sourceId="7e3f40b098c711dbb6060800200c9a66" lastUpdated="2008-11-26T01:00:00Z"
source="authoritative.example" sourceId="7e3f40b098c711dbb606011111111111" lastUpdated="2008-11-01T01:00:00Z"
An example is shown in Figure 12. Imagine a LoST node that obtained two new mappings identified as follows:
These two mappings have to be added to the peer's mapping database.
Additionally, the following mapping has to be deleted:
<?xml version="1.0" encoding="UTF-8"?>
<sync:pushMappings
xmlns:sync="urn:ietf:params:xml:ns:lostsync1"
xmlns="urn:ietf:params:xml:ns:lost1"
xmlns:gml="http://www.opengis.net/gml">
<mapping source="authoritative.example"
sourceId="7e3f40b098c711dbb6060800200c9a66"
lastUpdated="2008-11-26T01:00:00Z"
expires="2009-12-26T01:00:00Z">
<displayName xml:lang="en">Leonia Police Department
</displayName>
<service>urn:service:sos.police</service>
<serviceBoundary
profile="urn:ietf:params:lost:location-profile:basic-civic">
<civicAddress
xmlns="urn:ietf:params:xml:ns:pidf:geopriv10:civicAddr">
<country>US</country>
<A1>NJ</A1>
<A3>Leonia</A3>
<PC>07605</PC>
</civicAddress>
</serviceBoundary>
<uri>sip:police@leonianj.example.org</uri>
<serviceNumber>911</serviceNumber>
</mapping>
<mapping expires="2009-01-01T01:44:33Z"
lastUpdated="2008-11-01T01:00:00Z"
source="authoritative.example"
sourceId="7e3f40b098c711dbb606011111111111">
<displayName xml:lang="en">New York City Police Department
</displayName>
<service>urn:service:sos.police</service>
<serviceBoundary profile="geodetic-2d">
<gml:Polygon srsName="urn:ogc:def::crs:EPSG::4326">
<gml:exterior>
<gml:LinearRing>
<gml:pos>37.775 -122.4194</gml:pos>
<gml:pos>37.555 -122.4194</gml:pos>
<gml:pos>37.555 -122.4264</gml:pos>
<gml:pos>37.775 -122.4264</gml:pos>
<gml:pos>37.775 -122.4194</gml:pos>
</gml:LinearRing>
</gml:exterior>
</gml:Polygon>
</serviceBoundary>
<uri>sip:nypd@example.com</uri>
<uri>xmpp:nypd@example.com</uri>
<serviceNumber>911</serviceNumber>
</mapping>
<mapping source="nj.us.example"
sourceId="123"
lastUpdated="2008-11-01T01:00:00Z"
expires="2008-11-01T01:00:00Z"/>
</sync:pushMappings>
In response, the peer performs the necessary operation and updates its mapping database. In particular, it will check whether the other peer is authorized to perform the update and whether the elements and attributes contain values that it understands. In our example, a positive response is returned as shown in Figure 13.
<?xml version="1.0" encoding="UTF-8"?> <pushMappingsResponse xmlns="urn:ietf:params:xml:ns:lostsync1" />
<?xml version="1.0" encoding="UTF-8"?>
<errors xmlns="urn:ietf:params:xml:ns:lost1"
xmlns:sync="urn:ietf:params:xml:ns:lostsync1"
source="nodeA.example.com">
<sync:notDeleted
message="Could not delete the indicated mapping."
xml:lang="en">
<mapping source="nj.us.example"
sourceId="123"
lastUpdated="2008-11-01T01:00:00Z"
expires="2008-11-01T01:00:00Z"/>
</sync:notDeleted>
</errors>
In case that a mapping could not be deleted as requested the following error response might be returned instead.
LoST Sync needs an underlying protocol transport mechanism to carry requests and responses. This document uses HTTPS as a transport to exchange XML documents. No fallback to HTTP is provided.
When using HTTP-over-TLS [RFC2818], LoST Sync messages use the POST method. Request MUST use the Cache-Control response directive "no-cache".
All LoST Sync responses, including those indicating a LoST warning or error, are carried in 2xx responses, typically 200 (OK). 3xx, 4xx and 5xx HTTP response codes indicates that the request itself failed or was redirected; these responses do not contain any LoST Sync XML elements.
Note: In order to avoid copying pattern definitions from the LoST Relax NG schema [RFC5222] to this document we include it as "lost.rng" (XML syntax) in the Relax NG schema below.
<?xml version="1.0" encoding="utf-8"?>
<grammar ns="urn:ietf:params:xml:ns:lostsync1"
xmlns="http://relaxng.org/ns/structure/1.0"
xmlns:a="http://relaxng.org/ns/compatibility/annotations/1.0"
datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes">
<include href="lost.rng"/>
<start combine="choice">
<a:documentation> Location-to-Service Translation (LoST)
Synchronization Protocol</a:documentation>
<choice>
<ref name="pushMappings"/>
<ref name="pushMappingsResponse"/>
<ref name="getMappingsRequest"/>
<ref name="getMappingsResponse"/>
</choice>
</start>
<define name="pushMappings">
<element name="pushMappings">
<oneOrMore>
<ref name="mapping"/>
</oneOrMore>
<ref name="extensionPoint"/>
</element>
</define>
<define name="pushMappingsResponse">
<element name="pushMappingsResponse">
<ref name="extensionPoint"/>
</element>
</define>
<define name="getMappingsRequest">
<element name="getMappingsRequest">
<choice>
<ref name="exists"></ref>
<ref name="extensionPoint"/>
</choice>
</element>
</define>
<define name="exists">
<element name="exists">
<oneOrMore>
<element name="mapping-fingerprint">
<attribute name="source">
<data type="token"/>
</attribute>
<attribute name="sourceId">
<data type="token"/>
</attribute>
<attribute name="lastUpdated">
<data type="dateTime"/>
</attribute>
<ref name="extensionPoint"/>
</element>
</oneOrMore>
</element>
</define>
<define name="getMappingsResponse">
<element name="getMappingsResponse">
<oneOrMore>
<ref name="mapping"/>
</oneOrMore>
<ref name="extensionPoint"/>
</element>
</define>
<!-- error messages -->
<define name="notDeleted">
<element name="notDeleted">
<ref name="basicException"/>
<oneOrMore>
<ref name="mapping"/>
</oneOrMore>
</element>
</define>
</grammar>
When different LoST servers use the mechanism described in this document to synchronize their mapping data then it is important to ensure that loops are avoided. The example shown in Figure 16 with three LoST servers A, B and C (each of them acts as a sync source and a sync destination) illustrates the challenge in more detail. A and B synchronize data between each other; the same is true for A and C, and B and C, respectively.
A -------- B
\ /
\ /
\ /
\ /
C
Now, imagine that server A adds a new mapping. This mapping is uniquely identified by the combination of "source", "sourceid" and "last updated". Assume that A would push this new mapping to B and C. When B obtained this new mapping it would find out that it has to distribute it to its peer C. C would also want to distribute the mapping to B. If the original mapping with the "source", "sourceid" and "last updated" is not modified by either B or C then these two servers would recognize that they already possess the mapping and can ignore the update.
It is important that implementations MUST NOT modify mappings they receive. An entity acting maliciously would, however, intentially modify mappings or inject bogus mappings. To avoid the possibility of an untrustworthy member claiming a coverage region that it is not authorized for, authoritative mapping server MUST sign mappings they distribute using an XML digital signature [W3C.REC-xmldsig-core-20020212]. A recipient MUST verify that the signing entity is indeed authorized to speak for that region. In many cases, this will require an out-of-band agreement to be in place to agree on specific entities to take on this role. Determining who can speak for a particular region is inherently difficult unless there is a small set of authorizing entities that participants in the mapping architecture can trust. Receiving systems should be particularly suspicious if an existing coverage region is replaced by a new one that contains a different value in the <uri> element. When mappings are digitially signed, they cannot be modified by intermediate LoST servers.
This document defines a protocol for exchange of authoritative mapping information between two entities. Hence, the protocol operations described in this document require authentication of neighboring nodes.
The LoST Sync client and servers MUST implement TLS and use TLS. Which version(s) ought to be implemented will vary over time, and depend on the widespread deployment and known security vulnerabilities at the time of implementation. At the time of this writing, TLS version 1.2 [RFC5246] is the most recent version, but has very limited actual deployment, and might not be readily available in implementation toolkits. TLS version 1.0 [RFC2246] is the most widely deployed version, and will give the broadest interoperability.
Mutual authentication between the LoST Sync source and the LoST Sync destination is not necessarily required in all deployments unless an emergency service authority wants to enforce access control prior to the distribution of their mapping elements. This may, for example, be the case when certain emergency services network internal mappings are not meant for public distribution.
An additional threat is caused by compromised or misconfigured LoST servers. A denial of service could be the consequence of an injected mapping. If the mapping data contains an URL that does not exist then emergency services for the indicated area are not reachable. If all mapping data contains URLs that point to a single PSAP (rather than a large number of PSAPs) then this PSAP is likely to experience overload conditions. If the mapping data contains a URL that points to a server controlled by the adversary itself then it might impersonate PSAPs.
Section 8 discusses this security threat and mandates signed mappings. For unusal changes to the mapping database approval by a system administrator of the emergency services infrastructure (or a similar expert) may be required before any mappings are installed.
This specification requests the registration of a new media type according to the procedures of RFC 4288 [RFC4288] and guidelines in RFC 3023 [RFC3023].
Please register the schema defined in this document under the XML schema registry at http://www.iana.org/assignments/xml-registry/schema.html
Please register the namespace defined in this document under the XML namespace registry at http://www.iana.org/assignments/xml-registry/ns.html
BEGIN
<?xml version="1.0"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML Basic 1.0//EN"
"http://www.w3.org/TR/xhtml-basic/xhtml-basic10.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="content-type"
content="text/html;charset=iso-8859-1"/>
<title>LoST Synchronization Namespace</title>
</head>
<body>
<h1>Namespace for LoST server synchronization</h1>
<h2>urn:ietf:params:xml:ns:lostsync1</h2>
<p>See <a href="[URL of published RFC]">RFCXXXX
[NOTE TO IANA/RFC-EDITOR:
Please replace XXXX with the RFC number of this
specification.]</a>.</p>
</body>
</html>
END
Robins George, Cullen Jennings, Karl Heinz Wolf, Richard Barnes, Mayutan Arumaithurai, Alexander Mayrhofer, and Andrew Newton provided helpful input. Jari Urpalainen assisted with the Relax NG schema. We would also like to thank our document shepherd Roger Marshall for his help with the document.
We would like to particularly thank Andrew Newton for his timely and valuable review of the XML-related content.
We would like to thank Robert Sparks, Barry Leiba, Stephen Farrell, Brian Haberman, Pete Resnick, and Sean Turner for their AD reviews. We would also like to thank Bjoern Hoehrmann for his media type review, Julian Reschke and Martin Duerst for their applications area reviews, and Wassim Haddad for his Gen-ART review.
| [RFC5582] | Schulzrinne, H., "Location-to-URL Mapping Architecture and Framework", RFC 5582, September 2009. |