GeoPriv R. Marshall, Ed. Internet-Draft TCS Intended status: Informational October 11, 2007 Expires: April 13, 2008 Requirements for a Location-by-Reference Mechanism draft-ietf-geopriv-lbyr-requirements-01 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on April 13, 2008. Copyright Notice Copyright (C) The IETF Trust (2007). Marshall Expires April 13, 2008 [Page 1] Internet-Draft GEOPRIV LbyR Requirements October 2007 Abstract This document defines terminology and provides requirements relating to Location-by-Reference approach to handling location information within signaling and other Internet messaging. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Requirements Terminology . . . . . . . . . . . . . . . . . . . 4 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.1. Terms . . . . . . . . . . . . . . . . . . . . . . . . . . 5 4. Basic Actors . . . . . . . . . . . . . . . . . . . . . . . . . 6 5. High-Level Requirements . . . . . . . . . . . . . . . . . . . 8 5.1. Requirements for a Location Configuration Protocol . . . 8 5.2. Requirements for a Location Dereference Protocol . . . . 9 6. Security Considerations . . . . . . . . . . . . . . . . . . . 11 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14 9.1. Normative References . . . . . . . . . . . . . . . . . . . 14 9.2. Informative References . . . . . . . . . . . . . . . . . . 14 Appendix A. Change log . . . . . . . . . . . . . . . . . . . . . 15 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 16 Intellectual Property and Copyright Statements . . . . . . . . . . 17 Marshall Expires April 13, 2008 [Page 2] Internet-Draft GEOPRIV LbyR Requirements October 2007 1. Introduction Location-based services rely on ready access to location information, which can be through a direct or indirect mechanism. While there is already a direct mechanism which exists to provide location as part of the SIP signaling protocol, an alternative mechanism has been developed for handling location indirectly, via a location reference, a reference which points to the actual location information. This reference is called the location URI, and is used by the mechanism we call Location-by-Reference, or LbyR. Each of the actions by which a location URI can be used is represented by specific individual protocol. For example, a Location Configuration Protocol, is used by a device or middlebox to acquire a location which already exists (examples of this protocol include DHCP, LLDP-MED, and HELD [I-D.ietf-geopriv-http-location-delivery]). The location configuration protocol problem statement and requirements document can be found in [I-D.ietf-geopriv-l7-lcp-ps]. The action of conveying a location URI along from node to node according to specific rules in SIP, for example, is known as a conveyance protocol. A location dereferencing protocol, is used by a client to resolve a location URI in exchange for location information from a dereference server (e.g., a LIS). The structure of this document first defines terminology, or points to the appropriate draft where defined, in Section 3. Then a short discussion on the basic elements which show LbyR. This section on actors, Section 4 includes a basic model, and describes the steps which the LbyR mechanism takes. Requirements are outlined separately for location configuration, Section 5.1, followed by those for a dereferencing protocol, Section 5.2. Location-by-Value, called LbyV, in contrast to LbyR, is a direct location conveyance approach and includes the location object, e.g., a PIDF-LO [RFC4119] in the SIP signaling. Location conveyance is out of scope for this document (see [I-D.ietf-sip-location-conveyance] for an explanation of conveyance of location including both LbyR and LbyV scenarios. Location determination, which may include the processes of manual provisioning, automated measurements, or location transformations, (e.g., geo-coding), are beyond the scope of this document. A detailed discussion of Identity information related to the caller, subscriber, or device, as associated to location or location URI, is also out of scope. Marshall Expires April 13, 2008 [Page 3] Internet-Draft GEOPRIV LbyR Requirements October 2007 2. Requirements Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. Marshall Expires April 13, 2008 [Page 4] Internet-Draft GEOPRIV LbyR Requirements October 2007 3. Terminology This document reuses the terminology of [RFC3693], such as Location Server (LS), Location Recipient (LR), Rule Maker (RM), Target, Location Generator (LG), Location Object (LO), and Using Protocol: 3.1. Terms Location-by-Value (LbyV): The mechanism of representing location either in configuration or conveyance protocols, (i.e., the actual included location value). Location-by-Reference (LbyR): The mechanism of representing location either in configuration, conveyance, or in dereferencing protocols as an identifier which refers to a fully specified location, (i.e., a pointer to the actual location value). Location Configuration Protocol: A protocol which is used by a client to acquire either location or a location URI from a location configuration server, based on information unique to the client. Location Dereference Protocol: A protocol which is used by a client to query a location dereference server, based on location URI input and which returns location information. Location URI: An identifier which serves as a pointer to a location record on a remote host (e.g., LIS). Used within an Location-by- Reference mechanism, a location URI is provided by a location configuration server, and is used as input by a dereference protocol to retrieve location from a dereference server. Marshall Expires April 13, 2008 [Page 5] Internet-Draft GEOPRIV LbyR Requirements October 2007 4. Basic Actors In mobile wireless networks it is not efficient for the end host to periodically query the LIS for up-to-date location information. This is especially the case when power is a constraint or a location update is not immediately needed. Furthermore, the end host might want to delegate the task of retrieving and publishing location information to a third party, such as to a presence server. Finally, in some deployments, the network operator may not want to make location information widely available. These use scenarios motivated the introduction of the LbyR concept. Depending on the type of reference, such as HTTP/HTTPS or SIP Presence URI, different operations can be performed. While an HTTP/ HTTPS URI can be resolved to location information, a SIP Presence URI provides further benefits from the SUBSCRIBE/NOTIFY concept that can additionally be combined with location filters [I-D.ietf-geopriv-loc-filters]. +-----------+ Geopriv +-----------+ | | Location | Location | | LIS +---------------+ Recipient | | | Dereference | | +-----+-----+ Protocol (3) +----+------+ | -- | Geopriv -- | Location -- | Configuration -- | Protocol -- | (1) -- Geopriv | -- Using Protocol | -- (e.g., SIP) +-----+-----+ -- (2) | Target / |-- | End Host + | | +-----------+ Figure 1: Shows the assumed communication model for both a layer 7 location configuration protocol and a dereference protocol: Note that there is no requirement for using the same protocol in (1) and (3). The following list describes the location subscription approach: Marshall Expires April 13, 2008 [Page 6] Internet-Draft GEOPRIV LbyR Requirements October 2007 1. The end host discovers the LIS. 2. The target (end host) sends a request to the LIS asking for a location URI, as shown in (1) of Figure 1. 3. The LIS responds to the request and includes a location object along with a subscription URI. 4. The Target puts the subscription URI into a SIP message and forwards it to a Location Recipient via a using protocol, as shown in (2) of Figure 1. The Location Recipient subscribes to the obtained subscription URI (see (3) of Figure 1) and potentially uses a location filter (see [I-D.ietf-geopriv-loc-filters]) to limit the notification rate. 5. If the Target moves outside a certain area, indicated by a location filter, the Location Recipient will receive a notification. Note that the Target may also act in the role of the Location Recipient whereby it would subscribe to its own location information. For example, the Target obtains a subscription URI from the Geopriv L7 Location Configuration Protocol. It subscribes to the URI in order to obtain its current location information. A service boundary indicates the bounded extent up to which the device can move without the need to have an updated location, since a re-query with any location within the boundary would result in the same answer returned from a location-based service. For LbyR, the LIS needs to maintain a list of randomized location URIs for each host, timing out each of these URIs after the reference expires. Location URIs need to expire to prevent the recipient of such a URI from being able to (in some cases) permanently track a host. Furthermore, an expiration mechanism also offers garbage collection capability for the LIS. Location URIs must be designed to prevent adversaries from obtaining a known Target's location. There are at least two approaches: The location URI contains a random component which helps obscure sequential updates to location, yet still allows any holder of the location URI to obtain location information. Alternatively, the location URI can remain public and the LIS performs access control via a separate authentication mechanism, such as HTTP digest or TLS client side authentication, when resolving the reference to a location object. Marshall Expires April 13, 2008 [Page 7] Internet-Draft GEOPRIV LbyR Requirements October 2007 5. High-Level Requirements This document outlines only requirements for an LbyR mechanism which is used by two different protocols, a location configuration protocol, and a location dereferencing protocol. Each of these protocols has its own unique client and server interactions, and the requirements here are not intended to state what a client or server is expected to do, but rather which requirements must be met by either the configuration or dereferencing protocol itself. 5.1. Requirements for a Location Configuration Protocol Below, we summarize high-level design requirements needed for a location-by-reference mechanism as used within the location configuration protocol. C1. Location URI support: The configuration protocol MUST support a location reference in URI form. Motivation: It is helpful to have a consistent form of key for the LbyR mechanism. C2. Location URI expiration: The lifetime of a location URI SHOULD be indicated. Motivation: Location URIs are not intended to represent a location forever, and the identifier eventually may need to be recycled, or may be subject to a specific window of validity, after which the location reference fails to yield a location, or the location is determined to be kept confidential. C3. Location URI cancellation: The location configuration protocol SHOULD support the ability to request a cancellation of a specific location URI. Motivation: If the client determines that in its best interest to destroy the ability for a location URI to effectively be used to dereference a location, then there should be a way to nullify the location URI. C4. Random Generated: The location URI MUST be hard to guess, i.e., it MUST contain a cryptographically random component. Motivation: There is some benefit to the client if the location URI is generated in an obscured manner so that its sequence, for example in the case of a client's location update, can't be easy guessed. Marshall Expires April 13, 2008 [Page 8] Internet-Draft GEOPRIV LbyR Requirements October 2007 C5. Identity Protection: The location URI MUST NOT contain any information that identifies the user, device or address of record within the URI form. Motivation: It is important to protect caller identity or contact address from being included in the form of the location URI itself when it is generated. C6. Reuse indicator: There SHOULD be a way to allow a client to control whether a location URI can be resolved once or multiple times. Motivation: The client requesting a location URI may request a location URI which has a 'one-time-use' only characteristic, as opposed to a location URI having multiple reuse capability. C7. Location timestamp: There SHOULD be a way to allow a client to determine whether the dereferenced location information refers to the location of the Target at the time when the location URI was created or when it was dereferenced. Motivation: It is important to distinguish between an original and an updated location. 5.2. Requirements for a Location Dereference Protocol Below, we summarize high-level design requirements needed for a location-by-reference mechanism as used within the location dereference protocol. D1. Location URI support: The location dereference protocol MUST support a location reference in URI form. Motivation: It is required that there be consistency of use between location URI formats used in an configuration protocol and those used by a dereference protocol. D2. Location URI expiration status: The location dereference protocol MUST support a message indicating that for a location URI which is no longer valid, that the location URI has expired. Motivation: Location URIs are expected to expire, based on location configuration protocol parameters, and it is therefore useful to convey the expired status of the location URI in the location dereference protocol. Marshall Expires April 13, 2008 [Page 9] Internet-Draft GEOPRIV LbyR Requirements October 2007 D3. Authentication: The location dereference protocol MUST support either client-side and server-side authentication. Motivation: It is reasonable to expect implementations of authentication to vary. Some implementations may choose to implement both client-side and server-side authentication, might implement one only, or may implement neither. D4. Dereferenced Location Form: The dereferenced location MUST result in a well-formed PIDF-LO. Motivation: This is in order to ensure that adequate privacy rules can be adhered to, since the PIDF-LO format comprises the necessary structures to maintain location privacy. D5. Repeated use: The location dereference protocol MUST support the ability for the same location URI to be resolved more than once, based on server settings and configuration server parameters. Motivation: According to configuration server parameters, it may be necessary to have a limit on the number of dereferencing attempts. Marshall Expires April 13, 2008 [Page 10] Internet-Draft GEOPRIV LbyR Requirements October 2007 6. Security Considerations The LbyR mechanism currently addresses security issues as follows. A location URI, regardless of its randomized construction, if public, implies no safeguard against anyone being able to dereference and get the location. The randomization of a location URI in its naming does help prevent some potential guessing, according to some defined pattern. In the instance of one-time- use location URIs, which function similarly to a pawn ticket, the argument can be made that with a pawn ticket, possession implies permission, and location URIs which are public are protected only by privacy rules enforced at the dereference server. Additional security issues will be discussed in the geopriv draft, draft-barnes-geopriv-lo-sec-00.txt. Marshall Expires April 13, 2008 [Page 11] Internet-Draft GEOPRIV LbyR Requirements October 2007 7. IANA Considerations This document does not require actions by the IANA. Marshall Expires April 13, 2008 [Page 12] Internet-Draft GEOPRIV LbyR Requirements October 2007 8. Acknowledgements We would like to thank the IETF GEOPRIV working group chairs, Andy Newton, Allison Mankin and Randall Gellens, for creating the design team which initiated this requirements work. We'd also like to thank those design team participants for their inputs, comments, and reviews. The design team included the following folks: Richard Barnes; Martin Dawson; Keith Drage; Randall Gellens; Ted Hardie; Cullen Jennings; Marc Linsner; Rohan Mahy; Allison Mankin; Roger Marshall; Andrew Newton; Jon Peterson; James M. Polk; Brian Rosen; John Schnizlein; Henning Schulzrinne; Barbara Stark; Hannes Tschofenig; Martin Thomson; and James Winterbottom. Marshall Expires April 13, 2008 [Page 13] Internet-Draft GEOPRIV LbyR Requirements October 2007 9. References 9.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. 9.2. Informative References [I-D.ietf-geopriv-http-location-delivery] Barnes, M., Winterbottom, J., Thomson, M., and B. Stark, "HTTP Enabled Location Delivery (HELD)", draft-ietf-geopriv-http-location-delivery-02 (work in progress), September 2007. [I-D.ietf-geopriv-l7-lcp-ps] Tschofenig, H. and H. Schulzrinne, "GEOPRIV Layer 7 Location Configuration Protocol; Problem Statement and Requirements", draft-ietf-geopriv-l7-lcp-ps-05 (work in progress), September 2007. [I-D.ietf-geopriv-loc-filters] Mahy, R., "A Document Format for Filtering and Reporting Location Notications in the Presence Information Document Format Location Object (PIDF-LO)", draft-ietf-geopriv-loc-filters-01 (work in progress), March 2007. [I-D.ietf-sip-location-conveyance] Polk, J. and B. Rosen, "Location Conveyance for the Session Initiation Protocol", draft-ietf-sip-location-conveyance-08 (work in progress), July 2007. [RFC3693] Cuellar, J., Morris, J., Mulligan, D., Peterson, J., and J. Polk, "Geopriv Requirements", RFC 3693, February 2004. [RFC4119] Peterson, J., "A Presence-based GEOPRIV Location Object Format", RFC 4119, December 2005. Marshall Expires April 13, 2008 [Page 14] Internet-Draft GEOPRIV LbyR Requirements October 2007 Appendix A. Change log Changes to this draft in comparison to the -00 version: 1. Shortened Abstract and Introduction. 2. LDP term gone. Expansion of Location Dereferencing Protocol, deletion of "LDP" acronym throughout, since LDP stands for Label Distribution Protocol elsewhere in the IETF. 3. LCP term is also gone. LCP is used as Link Control Protocol elsewhere (IETF). 4. Reduced the number of terms in the doc. Referenced other drafts or RFCs for repeated terms. 5. Requirement C2. changed to indicate that the URI has a lifetime. 6. C3. Softened by changing from a MUST to a SHOULD. 7. C6. Reworded for clarity. 8. C7. Changed the MUST to a SHOULD to reflect a more appropriate level. 9. D6. Replaced the text to make it clearer. 10. D7. Deleted the requirement since it wasn't an appropriate task for the protocol. 11. Referenced Richard's security document 12. Cleaned up some text. Marshall Expires April 13, 2008 [Page 15] Internet-Draft GEOPRIV LbyR Requirements October 2007 Author's Address Roger Marshall (editor) TeleCommunication Systems, Inc. 2401 Elliott Avenue 2nd Floor Seattle, WA 98121 US Phone: +1 206 792 2424 Email: rmarshall@telecomsys.com URI: http://www.telecomsys.com Marshall Expires April 13, 2008 [Page 16] Internet-Draft GEOPRIV LbyR Requirements October 2007 Full Copyright Statement Copyright (C) The IETF Trust (2007). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Acknowledgment Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA). Marshall Expires April 13, 2008 [Page 17]