Status of this Memo

This document is an Internet-Draft and is subject to all provisions of Section 3 of RFC 3667. By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she become aware will be disclosed, in accordance with RFC 3668.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work in progress.”

The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt.

The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html.

This Internet-Draft will expire on October 10, 2005.

Copyright Notice

Copyright © The Internet Society (2005).

Abstract

[hgs,updated]This document enumerates requirements for emergency calls placed by the public using voice-over-IP (VoIP) and general Internet multimedia systems, where Internet protocols are used end-to-end, from caller to public safety answering point (PSAP) answering the call. These requirements for end-to-end IP-based emergency calling address functional and security issues for determining the correct emergency address, for identifying the appropriate PSAP and for identifying the caller and its current location.

Table of Contents

1.  Introduction
2.  Terminology
3.  Requirements
4.  Emergency Address
5.  Identifying the Caller Location
6.  Identifying the Appropriate Emergency Call Center
7.  Routing of Calls
8.  Identifying the Caller
9.  Call Setup and Call Features
10.  [rosen,3.4]Additional Information
11.  Security Considerations
12.  Contributors
13.  Acknowledgments
14.  References
    14.1  Normative References
    14.2  Informative References
§  Authors' Addresses
§  Intellectual Property and Copyright Statements

1. Introduction

Users of telephone-like services expect to be able to call for emergency help, such as police, the fire department or an ambulance, regardless of where they are, what (if any) service provider they are using and what kind of device they are using. Unfortunately, the mechanisms for emergency calls that have evolved in the public circuit-switched telephone network (PSTN) are not quite appropriate for evolving IP-based voice, text and real-time multimedia communications. This document outlines some of the requirements that end systems and network elements such as SIP proxies need to satisfy in order to provide emergency call services that offer at least the same functionality as existing PSTN services, while hopefully making emergency calling more robust, cheaper to implement and multimedia-capable.

In the future, users of other real-time and near real-time services may also expect to be able to summon emergency help. For example, instant messaging (IM) users may want to use such services. IM is particularly helpful for hearing-disabled users (RFC 3351 (Charlton, N., Gasson, M., Gybels, G., Spanner, M., and A. van Wijk, “User Requirements for the Session Initiation Protocol (SIP) in Support of Deaf, Hard of Hearing and Speech-impaired Individuals,” August 2002.)[3]) and in cases where bandwidth is scarce.

This document only focuses on end-to-end IP-based calls, i.e., where the emergency call originates from an IP end system and terminates at the emergency call taker who also uses IP-based communication facilities.

End-to-end emergency calls originate on an Internet device, traverse IP networks and terminate on an IP-capable PSAP.

Emergency calls need to be identified (see Section 4 (Emergency Address)) and need to be routed to the appropriate PSAP (see Section 6 (Identifying the Appropriate Emergency Call Center)). The PSAP needs to determine who (see Section 8 (Identifying the Caller)) placed the call from where (see Section 5 (Identifying the Caller Location)). Emergency calls may not be subject to access restrictions placed on non-emergency calls. Also, some call features may interfere with emergency calls, particularly if triggerd accidentally (Section 9 (Call Setup and Call Features)).

2. Terminology

In this document, the key words "MUST", "MUSTNOT", "REQUIRED", "SHALL", "SHALLNOT", "SHOULD", "SHOULDNOT", "RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as described in RFC 2119 (Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.)[1] and indicate requirement levels for compliant implementations.

Since a requirements document does not directly specify an implementable protocols, these compliance labels should be read as indicating requirements for the protocol or architecture, rather than an implementation.

For lack of a better term, we will use the term "caller" or "emergency caller" to refer to the person placing an emergency call or sending an emergency IM.

Application (Voice) Service Provider (ASP, VSP):

The organization that provides voice or other application-layer services, such as call routing, a SIP URI or PSTN termination. This organization can be a private individual, an enterprise, a government or a service provider. We avoid the term voice service provider as emergency calls are likely to use other media, including text and video, in the future. For a particular user, the ASP may not be the same organization as the IAP or ISP.

Basic emergency service:

Basic emergency service allows a user to reach a PSAP serving its current location, but the PSAP may not be able to determine the identity or geographic location of the caller (except by having the call taker ask the caller).

Call taker:

A call taker is an agent, typically a government employee, at the PSAP that accepts calls and may dispatch emergency help. (Sometimes the functions of call taking and dispatching are handled by different groups of people, but these divisions of labor are not generally visible to the outside and thus do not concern us here.)

ECC (emergency control center):

Facilities used by emergency organizations to accept and handle emergency calls. A PSAP (below) forwards emergency calls to the emergency control center, which dispatches polic, fire, rescue and other emergency services. An ECC serves a limited geographic area. A PSAP and ECC can be combined into one facility (ETSI SR 002 180 definition). We assume that the ECC is reachable by IP-based protocols, such as SIP for call signaling and RTP for media.

Enhanced emergency service:

Enhanced emergency services add the ability to identify the caller identity and/or caller location to basic emergency services. (Sometimes, only the caller location may be known, e.g., from a public access point that is not owned by an individual.)

Internet access provider (IAP):

An organization that provides physical network connectivity to its customers or users, e.g., through digital subscriber lines, cable TV plants, Ethernet, leased lines or radio frequencies. This entity may or may not also provide IP routing, IP addresses, or other Internet protocol services. Examples of such organizations include telecommunication carriers, municipal utilities, larger enterprises with their own network infrastructure, and government organizations such as the military.

Internet service provider (ISP):

An organization that provides IP network-layer services to its customers or users. This entity may or may not provide the physical-layer and layer-2 connectivity, such as fiber or Ethernet.

Location validation:

A caller location is considered valid if the civic or geospatial address exists and can be mapped to one or more PSAPs. Location validation ensures that a location is valid.

PSAP (public safety answering point):

Physical location where emergency calls are received under the responsibility of a public authority. (This terminology is used by both ETSI, in ETSI SR 002 180, and NENA.) In the United Kingdom, PSAPs are called Operator Assistance Centres, in New Zealand Communications Centres. We assume that the PSAP is reachable by IP-based protocols, such as SIP for call signaling and RTP for media.

End-User:

The user or user device entity needing sending his/her location to another entity in the network.

Domain:

An area or group of services falling with in a specific category or jurisdictional boundary.

Domain Authentication and Validation Entity:

A node that has authority within a given domain to authenticate and validate user location information.

3. Requirements

Below, we summarize high-level architectural requirements that guide some of the component requirements detailed later in the document.

R1: Voice Service Provider:

The existance of a voice service provider MUST NOT be assumed.

Motivation: The caller may not have a voice service provider, i.e., a corporate entity that provides voice services as a business. For example, a residence may have its own DNS domain and run its own SIP proxy server for that domain. On a larger scale, a university might provide voice services to its students and staff, but not be a telecommunication provider.

R2: International:

The protocols and protocol extensions developed MUST support consider regional, political and organizational differences.

Motivation: It must be possible for a device or software developed or purchased in one country to place emergency calls in another country. System components should not be biased towards a particular set of emergency numbers or languages. Also, different countries have evolved different ways of organizing emergency services, e.g., either centralizing them or having smaller regional subdivisions such as United States counties or municipalities handle emergency calls.

R3: Distributed Administration:

Deployment of emergency services MUST NOT depend on a sole central administration authority.

Motivation: Once common standards are established, it MUST be possible to deploy and administer emergency calling features on a regional or national basis without requiring coordination with other regions or nations. The system cannot assume, for example, that there is a single global entity issuing certificates for PSAPs, ASPs, IAPs or other participants.

R4: Multimedia:

Emergency calls MUST support use of Multimedia data and services

Motivation: Emergency calling must support a variety of media, not just voice. Such media include conversational text, instant messaging and video. In addition, it should be possible to convey telemetry data, such as data from automobile crash sensors.

R5: Mulitple Modes:

Multiple communication modes SHOULD be supported

Motivation: [stastny, Requirement S5] Provide all possible means of communication, not only speech, but also text (IM), Video, etc., (for disabled persons and better display of the situation)

[Ed. Suggest combine above two req's]

R6: Minimum Connectivity:

Motivation: [rosen,3.7, Connections to the Emergency Services Network; 3.7-1: ]If there is network connectivity between the emergency caller and the PSAP, and routing information is available, the call SHOULD be completed, even if other parts of the network are not reachable.

[ed. note: don't understand above statement]

R7:Incremental Deployment

Emergency calls from IP-based devices MUST be incrementally supported.

Motivation: [schulzrinne, sos Requirement 6] Any mechanism must be deployable incrementally and work even if not all entities support IP-based emergency calling. For example, User agents conforming to the SIP specification [1], but unaware of this document, must be able to place emergency calls, possibly with restricted functionality.

[Ed. changed above paragraph to make non-SIP specific]

R9: Middlebox Reliance:

Reliance on end devices only in lieu of communication gateways and middlebox servers MUST NOT be assumed

Motivation: [stastny, Requirement M6] For a transient time the device and the UA may use the help of servers (e.g. ESRP) to provide the connectivity to ECC, especially for ECC not yet connected to the Internet.

R12

[rosen, 3.8-2: ]Each subsystem in the i3 solution shall be designed such that the system survives major disruption including disaster, deliberate attack, and massive element failure.

R11

[rosen, 3.8-1: ]There shall be no single point of failure.

4. Emergency Address

The emergency address is used by the emergency caller to declare a call to be an emergency call and to guide the call to a PSAP. The emergency address could a be "sip", "sips" or "tel" URI, or some other, yet-to-be-defined URI scheme.

A1: Universal:

Each device and all network elements MUST recognize one or more global emergency call identifiers, regardless of the location of the device, the service provider used (if any) or other factors.

[Note: (TS) is it necessary to say that if we don't want to exclude something at the moment?

Motivation: SIP and other call signaling protocols are not specific to one country or service provider and devices are likely to be used across national or service provider boundaries. Since services such as disabling mandatory authentication for emergency calls (S1) requires the cooperation of outbound proxies, the outbound proxy has to be able to recognize the emergency address and be assured that it will be routed as an emergency call. Thus, a simple declaration on a random URI that it is an emergency call will likely lead to fraud and possibly attacks on the network infrastructure. A universal address also makes it possible to create user interface elements that are correctly configured without user intervention. UA features could be made to work without such an identifier, but the user interface would then have to provide an unambiguous way to declare a particular call an emergency call.

A2: Local:

Since many countries have already deployed national emergency numbers, such as 911 in North America and 112 in large parts of Europe, UAs, proxies and call routers MUST recognize local emergency numbers. In addition, they SHOULD recognize emergency numbers that are found elsewhere.

Motivation: The latter requirement is meant to help travelers that may not know the local emergency number and instinctively dial the number they are used to from home. However, it is unlikely that all systems could be programmed to recognize any emergency number used anywhere as some of these numbers are used for non-emergency purposes, in particular extensions and service numbers.

A3: Recognizable:

Emergency calls MUST be recognizable by user agents, proxies and other network elements. To prevent fraud, an address identified as an emergency number for call features or authentication override MUST also cause routing to a PSAP.

A4: Minimal configuration:

Any local emergency numbers SHOULD be configured automatically, without user intervention.

Motivation: A new UA "unofficially imported" into an organization from elsewhere should have the same emergency capabilities as one officially installed.

A5: Secure configuration:

Devices SHOULD be assured of the correctness of the local emergency numbers that are automatically configured.

Motivation: If we assume a fixed, global emergency service identifier that requires no configuration and only configure local "traditional" emergency numbers, users are not likely to suddenly dial some random number if a rogue configuration server introduces this as an additional emergency number. The ability to override all locally configured emergency number is of more concern.

A6: Backwards-compatible:

Existing devices that predate the specification of emergency call-related protocols and conventions MUST be able reach a PSAP.

R34: Common Identifier:

User initiated requests using local initiation methods (e.g. 9-1-1) MUST be supported across non-local domains (e.g. foreign countries)

Motivation: [schulzrinne, sos Requirement 5] While traveling, users must be able to use their familiar "home" emergency identifier. Users should also be able to dial the local emergency number in the country they are visiting.

5. Identifying the Caller Location

The caller location needs to be identified for two purposes, namely to route the call to the appropriate PSAP and to display the caller location to the call taker to simplify dispatching emergency assistance to the correct location.

This section supplements the requirements outlined in RFC 3693 (Cuellar, J., Morris, J., Mulligan, D., Peterson, J., and J. Polk, “Geopriv Requirements,” February 2004.)[4]. Thus, the requirements enumerated there are not repeated here. In general, we can distinguish three modes of operation:

UA-inserted:

The caller's user agent inserts the location information, derived from sources such as GPS, DHCP or link-layer announcements (LLDP).

UA-referenced:

The caller's user agent provides a reference, via a permanent or temporary identifier, to the location which is stored by a location service somewhere else and then retrieved by the PSAP.

Proxy-inserted:

A proxy along the call path inserts the location or location reference.

L1: Multiple location services:

For UA-referenced locations, PSAPs MUST be able to access different location providers. The location provider may be tied to the ASP, IAP or ISP or may be independent of these entities.

Motivation: This requirement avoids that all users have to rely on a single location service provider. This requirement is hard to avoid if there are no traditional national application-layer service providers.

L2: Civic and geographic:

Where available, both civic (street address) and geographic (longitude/latitude) information SHOULD be provided to the PSAP.

Motivation: While geographic information can usually be translated into civic coordinates, some coordinates, such as building numbers and floors, are more easily provided as civic coordinates since they do not require a detailed surveying operation. For direct location determination, it may also be easier for the user to check civic coordinates for correctness.

L3: Location source identification:

Sources and transformations of location data MUST be indicated to the PSAP. Transformations include conversions across datums or from civic to geospatial coordinates.

Motivation: This allows the PSAP to better judge the reliability and accuracy of the data and track down problems.

L4: Certifiable:

In some cases, the source and generation time of the location object used for call routing and caller location display must be verifiable, e.g., by a digital signature. The security requirements describe this in more detail.

L5: Multiple addresses:

The location of the caller may be described by multiple addresses, either because they provide both civic and geospatial coordinates or because different entities differ in their assessment of where the caller is located.

L6: Validation:

It must be possible to validate an address prior to its use in an actual emergency call. Note that this may be considered part of requirement I16 (Testable).

L7: Provide location

[rosen]3.2-1: Calls using VoIP or subsequent methods are expected to supply location with the call.

L8: Accept two location types

3.2-2: PSAPs shall accept location as civic and/or geo specified.

L9: Altitude included with location

3.2-3: All representations of location shall include the ability to carry altitude. This requirement does not imply altitude is always used or supplied.

L10: Preferred datum

3.2-4: The preferred coordinate system for emergency calls is WGS-84.

L11: Multiple locations

3.2-5: If multiple Location Objects are provided with a call, it should be possible to identify the most accurate, current, appropriate location information to be used for routing emergency calls and dispatching emergency responders.

L12: Location presenter

3.2-6: No assumption shall be made that the entity presenting the call to the PSAP has any knowledge of, or control over the provider of location. The location provider may be independent of all other service providers handling the call.

L13: Requery location

3.2-7: PSAPs shall have the ability to requery for a location update.

L14: Default location

3.2-8: PSAPs shall be able to make use of default location information when measurement based location determination mechanisms fail. Examples include tower/Access Point location, last known fix, etc.

L15: Default identification

3.2-9: PSAPs must be made aware when default location information was used to route a call.

L16: Location Responsibility:

Location determination MUST assume responsible party

Motivation: [winterbottom, Requirement 3.1] The emergency network in most cases today is accessed via the PSTN using either a wireline or a cellular device. In both cases location information is provided by the Carrier and is used directly to route the call. Since the Carrier must route the call to the emergency network, the emergency network holds the carrier responsible for the correct location determination and routing, and this forms the basis of requirement 1. A certain level of authentication and validation around the source of the location is required for the domain in which the information is to be used.

L17: Time of Location:

Location determination MUST be relevant to time of call

Motivation: [winterbottom, Requirement 3.2] The location information MUST be attributed to a specific point in time. That is, the location used for routing and which is reported to the emergency services operator, must be the actual location of the caller at the time of making the call. This provides operator's with confidence that the End-User is at the location. This is accomplished today with existing telephony networks either through the use of a calling-number to address "wire-map" database, or for cellular with more complex triangulation and GPS based techniques where the location is determined by the network and delivered at the time of the call.

L18: Location, End-User:

Location provided with call MUST be associated with an end-user

Motivation: [winterbottom, Requirement 3.3] The location information MUST be attributed to a specific End-User. That is, for each call initiated, the emergency network requires that the location was determined for that specific caller and is not reused from a location determination applicable to a different End-User. This information defines when the location was attributed to the End-User, thereby tying a valid location to a user at a specific point in time.

L19: Location Domain Availability:

Location domain MUST be obtainable by end-user

Motivation: [winterbottom, Requirement 3.4] Requirement 1 states that a level of authentication and validation for the source of the location is required. This implies the need to for the End-User to determine the authenticating and validating entity for the emergency services domain in which they reside. That is, it must be possible for an End-User to discover and utilize an answerable source of location in the access network they are using.

L20: Location Certification:

Location provided MUST be certified

Motivation: [winterbottom, Requirement 3.5] The End-User must be able to establish a session with the access domain authenticating and validating entity to obtain a certified location. The authentication of the location is granted with an expiry time, after which the location within the domain is deemed invalid.

L21: Location and End-User Identity:

It MUST NOT be assumed that end-user identity provided with location is true identity of end-user

Motivation: [winterbottom, Requirement 3.6] The session between the End-User and the domain authenticating and validating entity SHALL NOT require the true identity of the End-User. That is, the true identity of the user need never be revealed to the domain authenticating and validating entity, a random unique pseudonym generated within the authenticated domain is sufficient.

L22: Location Acceptibility:

Location provided by end-user MUST be considered acceptable as input to authentication and validation entity

Motivation: [winterbottom, Requirement 3.7] The domain authenticating and validation entity MUST be able to accept a location provided by an End-User. On receipt of the End-User's location the domain authenticating and validation entity SHOULD validate the location as being applicable to that domain that is, it falls within reasonable geographic boundaries for that domain - before returning the certified location to the End-User.

L23: Location Sources:

It MUST NOT be assumed that location is always provided by end-user

Motivation: [winterbottom, Requirement 3.8] The End-User may have no means of determining or providing a location, in which case the domain authentication and validation entity MAY provide an estimate of location.

L24: Location Query Authorization:

The ability to query end-user location using a location key MUST be limited to authorized end points

Motivation: [winterbottom, Requirement 3.9] Where the End-User does not desire the transmission of their location in-band with their call setup, they shall have the option of requesting a unique query key such that only authorized end points may query the location directly from the domain.

L25: Location Domain Authorization:

Location Source entity MUST be authorized within the access domain

Motivation: [winterbottom, restated] That the source of the location is considered to be authorized to provide the location within the access domain.

L26: Endpoint Location:

Location MUST be tied to an endpoint within the access domain.

Motivation: [winterbottom, restated] The location is tied to an end-point inside the access domain controlled by the source.

L27:

Location MUST be bound to end-point at call-time

Motivation: [winterbottom, restated] The binding between location and end-point is correct at the time of the call.

[Ed. note: Can we combine above two into one requirement?]

L28: Location Sources:

Single source of location MUST NOT be assumed

Motivation: [stastny, Requirement M4] To achieve this, the device MUST be able to retrieve its current location from the access provider, from the infrastructure, via GPS, ... or as last resort, from the user itself.

L29: Location Provided:

Endpoint location SHOULD be provided to ECC

Motivation: [stastny, Requirement S1] Transmission of the current location of the contacting device to the ECC

L30: Provide Endpoint Location:

Identification of endpoint or end-user SHOULD be provided to ECC

Motivation: [stastny, Requirement S3] Identification of the contacting person or device

L31: Diverse Location Technologies:

Emergency Services should support variety of current and future location determination technologies.

Motivation: [schulzrinne, sos Requirement 9] Emergency call mechanisms should not require a specific technology for determining the location of the caller.

6. Identifying the Appropriate Emergency Call Center

From the previous section, we take the requirement of a single (or small number of) emergency addresses which are independent of the caller's location. However, since for reasons of robustness, jurisdiction and local knowledge, PSAPs only serve a limited geographic region, having the call reach the correct PSAP is crucial. While a PSAP may be able to transfer an errant call, any such transfer is likely to add tens of seconds to call setup latency and is prone to errors. (In the United States, there are about 6,100 PSAPs.)

Several terms are used for causing the call signaling to reach the geographically appropriate PSAP. This has been referred to as call routing, (PSAP) lookup or location mapping, all capturing aspects of the problem.

There appear to be two basic architectures for translating an emergency address into the correct IPSAP. We refer to these as caller-based and mediated. In caller-based resolution, the caller's user agent consults a directory and determines the correct IPSAP based on its location. We assume that the user agent can determine its own location, either by knowing it locally or asking some third party for it. A UA could conceivably store a complete list of all PSAPs across the world, but that would require frequent synchronization with a master database as PSAPs merge or jurisdictional boundaries change.

For mediated resolution, a call signaling server, such as a SIP (outbound) proxy or redirect server, performs this function. Note that the latter case includes the architecture where the call is effectively routed to a copy of the database, rather than having some non-SIP protocol query the database. Since servers may be used as outbound proxy servers by clients that are not in the same geographic area as the proxy server, any proxy server has to be able to translate any caller location to the appropriate PSAP. (A traveller may, for example, accidentally or intentionally configure its home proxy server as its outbound proxy server, even while far away from home.)

Note that the first proxy doing the translation may not be in the same geographic area as the UA placing the emergency call.

The resolution may take place well before the actual emergency call is placed, or at the time of the call.

The problem is harder than for traditional web or email services. There, the originator knows which entity it wants to reach, identified by the email address or HTTP URL. However, the emergency caller only dialed an emergency address. Depending on the location, any of several ten thousand PSAPs around the world could be valid. In addition, the caller probably does not care which specific PSAP answers the call, but rather that it be an accredited PSAP, e.g., one run by the local government authorities. (Many PSAPs are run by private entities. For example, universities and corporations with large campuses often have their own emergency response centers.)

I1: Correct PSAP:

The system MUST reach the correct PSAP, that is, a PSAP that serves the location of the caller. In particular, the location determination should not be fooled by the location of IP telephony gateways or dial-in lines into a corporate LAN (and dispatch emergency help to the gateway or campus, rather than the caller), multi-site LANs and similar arrangements.

I2: Early routing:

In mediated mode, the first proxy server along a request path MUST attempt to route the call to the appropriate IPSAP.

Motivation: Proxy servers close to the caller can be expected to have better call routing knowledge, particularly if international boundaries are being crossed.

I3: Multi-stage:

The user agent or a call routing entity close to the caller may not be able to deliver the call directly to the serving PSAP, but rather to an intermediary that it turn uses caller location information to route the call closer to the appropriate PSAP.

I4: Choice of IPSAPs:

The system SHOULD offer the emergency caller a choice as to whether he wants to reach a local private emergency response center, e.g., on a corporate campus, or the government-run emergency call center responsible for his current location.

Motivation: This choice is often, but not always, provided today. For example, in some cases, the local campus emergency center is reachable by a different number or 9-911 reaches the external PSAP, while 911 reaches campus security.

I5: Assuring IPSAP identity:

The emergency caller SHOULD be able to determine conclusively that he has reached an accredited emergency call center.

Motivation: This requirement is meant to address the threat that a rogue, possibly criminal, entity pretends to accept emergency calls.

Implementations SHOULD allow callers to proceed, with appropriate warnings or user confirmations, if the identity of the destination IPSAP cannot be verified.

Motivation: Verification can fail for any number of reasons, such as lack of a common certificate chain, especially when traveling, call forwarding, or the expiration of certificates. Accreditation, e.g., in the case of corporate or university campuses, may not exist.

I6: Traceable resolution:

Particularly for mediated resolution, the caller SHOULD be able to definitively and securely determine who provided the resolution answer.

I7: Assuring directory identity:

The querier (UA or server) MUST be able to assure that it is querying the intended directory.

I8: Query response integrity:

The querier MUST be able to be confident that the query or response has not been tampered with.

I9: Assuring update integrity:

Any update mechanism for the directory MUST ensure that only authorized users can change directory information. An audit trail MUST be provided.

I10: Call setup latency:

The directory lookup SHOULD add minimal delay to the call setup. Since outbound proxies will likely be asked to resolve the same geographic coordinates repeatedly, a suitable time-limited caching mechanism SHOULD be supported (see also "Ix").

I11: Multiple directories:

A UA or proxy SHOULD be able to use multiple different directories to resolve the emergency address. We do not assume that a single directory has worldwide or even nationwide coverage.

Motivation: This allows competing or regional data sources.

I12: Referral:

All directories SHOULD refer out-of-area queries to an appropriate default or region-specific directory.

Motivation: This requirement alleviates the potential for misconfigurations to cause calls to fail, particularly for caller-based queries.

I13: Multiple query protocols:

It MAY be useful if directories support multiple query protocols, such as SIP (for proxying), IRIS, LDAP, a SOAP-based query and others. A mandatory-to-implement protocol MUST be specified and an over-abundance of similarly-capable choices appears undesirable for interoperability.

Motivation: It appears likely that the resolution mechanism will be needed by a variety of session protocols and user applications.

I14: Robustness:

The resolution mechanism MUST allow to deploy systems that are robust in the face of partial network and directory server failures. Caching MAY be used to mitigate temporary unavailability of directories or network connectivity. As long as the PSAP is reachable by the caller, a temporary failure of the lookup and routing mechanism should not prevent completion of the emergency call.

I15: Incrementally deployable:

An Internet-based emergency call system MUST be able to deployed incrementally. In the initial stages of deployment, an emergency call may not reach the optimal PSAP.

I16: Testable:

A user SHOULD be able to test whether a particular address reaches the appropriate PSAP, without actually causing emergency help to be dispatched or consuming PSAP call taker resources. Such tests MUST indicate the source of any problems, including the validity and plausibility of civic and geospatial location addresses. This requirement also allows address validation.

I17: ECC Availability:

ECC communication MUST be continuously available

Motivation: [stastny, Requirement M1] From any with the Internet connected device it MUST be possible at any time to contact the ECC responsible for the current location with the most appropriate method for communication for the user and the device.

I18: ECC Testability:

Testability MUST be available to determine ready access to location appropriate ECC

Motivation: [stastny, Requirement M2] The possibility to make contact to the proper ECC has to be verified and indicated to the user and/or the User Agent.

I19:

Motivation: [schulzrinne, sos Requirement 7] Given incremental deployment, emergency call functionality should be testable by the user without causing an emergency response.

I20

[rosen, 3.8-4: ]The solution shall include mechanisms to test each element and complete call chains from caller end device to internal PSAP systems without interfering with real emergency calls.

I21

3.8-5: Mechanisms must be provided to provide constant verification of service availability to the PSAP.

[Ed. Suggest combining above (4) req's]

I22: ECC Identification:

Public access to ECC selection information MUST be assumed

Motivation: [stastny, Requirement M5] The capability to locate the responsible ECC must be available in the public Infrastructure without the additional need for a service provider.

I23:

Motivation: [schulzrinne, sos Requirement 1] SIP-based end systems must be able to reach emergency call centers. These emergency call centers may have SIP capabilities or may be reachable only via a SIP-to-PSTN gateway. Since each ECC serves only a limited geographic area, often defined by jurisdictional boundaries such as state, province or county, SIP-based emergency requests MUST

[ed., suggest deleting above (incomplete) requirement]

I24: Cross-Jurisdication Device Support:

Devices SHOULD support alternate emergency service systems between countries

Motivation: [schulzrinne, sos Requirement 4] Even as each country is likely to operate their emergency calling infrastructure differently, SIP devices should be able to reach emergency help and, if possible, be located in any country.

I25:

Motivation: [schulzrinne, sos Requirement 8] Emergency calling mechanisms must support existing emergency call centers based on circuit-switched technology as well as future ECC that are SIP-capable.

[Ed. note: Is this in scope?]

7. Routing of Calls

RC1

[rosen,3.6]3.6-1: Calls MUST be routed to the correct PSAP based on the location of the caller and the declared service boundary of the PSAP.

RC2

3.6-2: Routing MUST be possible on either civic or geo location information.

RC3

3.6-3: It MUST be possible to route a call based on either a civic or a geo location without requiring conversion. from one to the other. This requirement does not prohibit an implementation from converting and using the resulting conversion for routing. However, see Req ?.

RC4

3.6-4: It MUST be possible for a designated 9-1-1 authority for a PSAP to approve of any geo-coding database used to assist in determining routing of calls to that PSAP. Mechanisms must be provided for the designated 9-1-1 authority for the PSAP to test, and certify a geo-coding database as suitable for routing calls to the PSAP. The PSAP may choose to NOT avail itself of such a mechanism.

RC5

3.6-5: It MUST be possible for the designated 9-1-1 authority to supply, maintain, or approve of databases used for civic routing. Mechanisms must be provided for a designated authority for a PSAP to test and certify a civic routing database as suitable for routing calls to that PSAP.

RC6

3.6-6: It MUST be possible for the PSAP itself (or a contractor it nominates on its behalf) to provide geocode and reverse geocode data and/or conversion service to be used for routing determination. This implies definition of a standard interchange format for geocode data, and protocols to access it.

RC7

3.6-7: The PSAP MUST have a mechanism to declare its serving boundaries (in civic and geo formats) for routing purposes.

RC8

3.6-8: Boundaries for civic routing MUST be able to be specific to a street address range, a side of a street (even/odd street addresses), a building within a "campus", or any of the location fields available.

RC9

3.6-9: It MUST be possible to use various combined components of the location object for determination of routing. Some areas may only require routing to a country level, others to a state/province, others to a county, or to a municipality, and so on. No assumption should be made on the granularity of routing boundaries or about the combination of components used.

RC10

3.6-10: Boundaries mechanisms for geo routing MUST be able to be specific to a natural political boundary, a natural physical boundary (such as a river), or the boundaries listed in Req ? above

RC11

3.6-11: Routing databases using 9-1-1 Valid Addresses or lat/lon/altitude as keys MUST both be available to all entities needing to route 9-1-1 calls.

RC12

3.6-12: Carriers, enterprises and other entities that route emergency calls MUST be able to route calls from any location to its appropriate PSAP.

RC13

3.6-13: It MUST be possible for a given PSAP to decide where its calls should be routed.

RC14

3.6-14: It is desirable for higher level civic authorities such as a county or state/province to be able to make common routing decisions for all PSAPs within their jurisdiction. For example, a state may wish to have all emergency calls placed within that state directed to a specific URI. This does NOT imply a single answering point; further routing may occur beyond the common URI.

RC15

3.6-15: Routing MAY change on short notice due to local conditions, traffic, failures, schedule, etc.

RC16

3.6-16: Information and mechanisms used to determine routing MUST be extremely reliable and available, which implies redundancy, protocol stability, and resiliency.

RC17

3.6-17: Routing information MUST be secured against unauthorized modification. PSAPs (or perhaps a higher level civic authority such as a county, state/province or national body) or their designated representative must be the only entities permitted to change routing information.

RC18

3.6-18: It MUST be possible to supply contingency routing information, for example, an alternate URI or an E.164 to be used when normal routing fails.

RC19

3.6-19: Multiple types of failures MAY have different contingency routes.

RC20

3.6-20: It MUST be possible to provide more than one contingency route for the same type of failure

RC21

3.6-21: A procedure MUST be specified to handle "default route" capability when no location is available or the location information is corrupted.

RC22

3.6-22: Location available at the time the call is routed MAY not be accurate. Updates to location may result in a different route and the system MUST accommodate this.

RC23

3.6-23: Default routes MUST be available when location information is not available.

RC24

3.6-24: Access Infrastructure providers MUST provide a location object that is as accurate as possible when location measurement or lookup mechanisms fail.

RC25

3.6-25: Entities routing emergency calls SHALL retain information used to choose a route for subsequent error resolution.

RC26

3.6-26: It SHOULD be possible to have updates of location (which may occur when measuring devices provider early, but imprecise "first fix" location) which can change routing of calls.

8. Identifying the Caller

In most jurisdictions, callers do not have a choice as to whether they want to reveal their location or identity; such disclosure is typically mandated by law.

C1: Identity:

The system SHOULD allow (but not force) to identify both the caller's identity and his or her terminal network address.

C2: Privacy override:

The end system MUST be able to automatically detect that a call is an emergency call so that it can override any privacy settings that conflict with emergency calling. (Whether this override can be configured by the user or is considered a condition of service is considered a legal matter, not a protocol issue.)

Motivation: Since emergency calls are often placed by children, by people using somebody else's end system or by people in panic, any configuration should be automated rather than relying on user interaction at the time of the call. Delaying a call until the user discovers that they have to answer some screen prompt or deal with a voice prompt in an unfamiliar language is likely to lead to large call setup delays or call failures. This does not preclude that end systems can allow, on a call-by-call basis, to configure special call parameters, e.g., to enable anonymous tip lines.

C3: Recontacting Endpoint:

The ECC SHOULD have the capability to recontact the initiating endpoint after disconnection

Motivation: [stastny, Requirement S2] Capability to re-contact the contacting device from the ECC in case of disruption or later query for a tbd period of time. This should also be possible from conventional ECC via temporary (virtual) E.164 numbers

9. Call Setup and Call Features

S1: Authentication override:

In many jurisdictions, emergency calls can be placed by any device, regardless of whether it has subscribed for service. Similarly, outbound proxies and other call filtering elements MUST be able to be configured so that they allow unauthenticated emergency calls.

S2: Mid-call features:

The end system MUST be able to recognize an emergency call and allow configuration so that certain call features are not triggered accidentally. For example, it may be inappropriate to transfer the PSAP or put it on hold. An end system MAY make it more difficult to disconnect an on-going emergency call or accept other incoming calls while in an emergency call.

Motivation: Call transfer initiated by the emergency caller is likely only to be a problem if a PSTN gateway or B2BUa is in the call path. It is not clear how much effort should be expended on preventing intentional, as opposed to accidental, disconnection, since callers can typically find physical-layer means to terminate the call. This feature is not generally available in the PSTN. For example, ANSI T1.628-2001 states that "E9-1-1 Call hold is an optional network feature provided to a PSAP which prevents a caller from disconnecting an ESC. .... However, there is no DSS1 or SS7 support for this capability at this time."

S3: Testable:

Users SHOULD be able to test the ability to place an emergency call without actually invoking an emergency response or tying up emergency call take resources.

Motivation: This capability is unfortunately missing from the current PSTN.

S4: Integrity:

Implementations MUST provide mechanisms that ensure the integrity of SIP protocol component that are crucial to providing reliable emergency call service. (This requirement implies authentication of the caller to allow integrity protection of the request and authentication of the PSAP to allow integrity protection of responses.)

S5:

Motivation: [schulzrinne, sos Requirement 2] While current emergency call centers are limited to voice and TDD (telecommunication device for the deaf) communications, future SIP-based ECCs SHOULD handle all relevant means of interaction, including multimedia and instant messaging [8].

[Ed. suggest make non-SIP specific]

S6: Emergency Requests:

Requests for emergency services MUST NOT be assumed to be user initiated

Motivation: [stastny, Requirement M3] The communication may be established on user request or by external events.

S7: Alternate Call Initiation:

Devices SHOULD support alternate methods for initiating emergency requests.

Motivation: [schulzrinne, sos Requirement 3] It SHOULD be possible for devices to provide user interfaces that can directly cause an emergency call, without the user having to "dial" or type a specific address.

S8

[rosen,3.1]3.1-1: Tracking and Tracing Facilities for all calls must be provided. This include all routing entities as well as all signaling entities.

S9

3.1-2: Each element in the signaling and routing paths solution shall maintain call detail records that can be accessed by management systems to develop call statistics in real time.

S10

3.1-3: The emergency call routing system must harmonize with international specifications to permit local determination of emergency call number (i.e. 9-1-1, 1-1-2).

S11

3.1-4: Mechanisms must be provided to route emergency calls in areas not served by E9-1-1 to an appropriate PSTN telephone number.

S12

3.1-5: Each element of the signaling and routing paths shall provide congestion controls.

S13

3.1-6: It shall be possible to determine the complete call chain of a call, including the identity of each signaling element in the path, and the reason it received the call (Call History).

S14

3.1-7: Support must be provided to accept calls from end offices and MSCs via the Public Switched Telephone Network, using SS7, CAMA and ISDN interfaces.

S15

3.1-8: Call setup time (dialing of last digit to alerting at the PSAP), under expected peak load shall be less than 2 seconds. If CAMA signaling is in the path, then an additional ? seconds is permitted.

10. [rosen,3.4]Additional Information

AI1

3.4-1: In addition to information sent with the call, additional information may be available that is retrieved from internal or external databases using a key to the information included with the call. This key may also include information to identify/address the database.

AI2

3.4-2: Additional information may be available to the call taker based on the location of the caller.

AI3

3.4-3: Additional information may be available to the call taker based on the owner of the structure.

AI4

3.4-4: Additional information may be available to the call taker based on the tenant of the structure.

AI5

3.4-5: Where a vehicle is involved, additional information may be available.

AI6

3.4-6: Additional information may be available based on the Address of Record of the caller. In this context, AoR equates to the caller.

AI7

3.4-7: Consideration should be given to permitting users to have domain independent mechanisms to supply information related to the caller, for example, another datum related to user.

AI8: Additional Data:

Support for transfer of additional data SHOULD be supported

Motivation: [stastny, Requirement S6] Capabilities to contact ECC by automatic means and for the transfer of additional information (alarm equipment, cars, buses, trucks with dangerous loads, ...)

[Ed. (also, Non-call initiated event notification covered by R9)]

AI9

[rosen, 3.8-6: ]Mechansism must be provided to provide automatically generated misroute and location error reports.

11. Security Considerations

Note: Security Considerations originally described in this section have removed and will be resubmitted to the ECRIT security document. No reference yet available.

SEC1: Safeguards from Attacks:

Safeguards SHOULD be provided to assure against network system attacks

Motivation: [stastny, Requirement S4] Safeguards to protect the emergency infrastructure and ECC facilities against malicious attacks, especially to prevent DoS attacks.

SEC2

3.8-3: Special consideration should be given to "Distributed Denial of Service" attacks

[Ed. Suggest deletion of above (2) req's, recombine with separate security doc]

12. Contributors

The information contained in this document is a result of a joint effort based on individual contributions by those involved in the ECRIT WG. The contributors include Nadine Abbott, Hideki Arai, Martin Dawson, Motoharu Kawanishi, Brian Rosen, Richard Stastny, Martin Thomson, James Winterbottom.

The contributors can be reached at:

Nadine Abbott          nabbott@telcordia.com

Hideki Arai            arai859@oki.com

Martin Dawson          mdawson@nortelnetworks.com

Motoharu Kawanishi     kawanishi381@oki.com

Brian Rosen            br@brianrosen.net

Richard Stastny        Richard.Stastny@oefeg.at

Martin Thomson         marthom@nortelnetworks.com

James Winterbottom     winterb@nortelnetworks.com

13. Acknowledgments

14. References

14.1 Normative References

14.2 Informative References

Authors' Addresses

Intellectual Property Statement

The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.

Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.

The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.

Disclaimer of Validity

This document and the information contained herein are provided on an “AS IS” basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Copyright Statement

Copyright © The Internet Society (2005). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.

Acknowledgment

Funding for the RFC Editor function is currently provided by the Internet Society.