Marking of Calls initiated by Public Safety Answering Points (PSAPs)

Summoning police, the fire department or an ambulance in emergencies is one of the fundamental and most-valued functions of the telephone. As telephone functionality moves from circuit-switched telephony to Internet telephony, its users rightfully expect that this core functionality will continue to work at least as well as it has for the legacy technology. New devices and services are being made available that could be used to make a request for help, which are not traditional telephones, and users are increasingly expecting them to be used to place emergency calls. Regulatory requirements demand that the emergency call itself provides enough information to allow the call-taker to initiate a call back to the emergency caller in case the call dropped or to interact with the emergency caller later in case of questions. Such a call, referred as PSAP callback subsequently in this document, may, however, be blocked or forwarded to an answering machine as SIP entities (SIP proxies as well as the SIP UA itself) cannot associate the potential importantance of the call based on the SIP signaling. Note that the authors are, however, not aware of regulatory requirements for providing preferential treatment of callbacks initiated by the call-taker at the PSAP towards the emergency caller nor that these calls have to be treated in any form differently from any other call. Section 10 of discusses the identifiers required for callbacks. Section 13 of provides the following guidance regarding callback handling: A UA may be able to determine a PSAP call back by examining the domain of incoming calls after placing an emergency call and comparing that to the domain of the answering PSAP from the emergency call. Any call from the same domain and directed to the supplied Contact header or AoR after an emergency call should be accepted as a call-back from the PSAP if it occurs within a reasonable time after an emergency call was placed. This approach mimics a stateful packet filtering firewall and is indeed helpful in a number of cases but it may fail in others. Below, we discuss a few cases where this approach fails.

Consider the following emergency call routing scenario shown in where routing towards the PSAP occurs in several stages. An emergency call uses a SIP UA that does not run LoST on the end point. Hence, the call is marked with the 'urn:service:sos' Service URN . The user's VoIP provider receives the emergency call and determines where to route it. Local configuration or a LoST lookup might, in our example, reveal that emergency calls are routed via a dedicated provider FooBar and targeted to a specific entity, referred as esrp1@foobar.com. FooBar does not handle emergency calls itself but performs another resolution step to let calls enter the emergency services network and in this case another resolution step takes place and esrp-a@esinet.org is determined as the recipient, pointing to an edge device at the IP-based emergency services network. Inside the emergency services there might be more sophisticated routing taking place somewhat depending on the existing structure of the emergency services infrastructure.

Imagine the following case where an emergency call enters an emergency network (state.org) via an ERSP but then gets forwarded to a different emergency services network (in our example to police-town.org, fire-town.org or medic-town.org). The same considerations apply when the the police, fire and ambulance networks are part of the state.org sub-domains (e.g., police.state.org).

In case an emergency call enters the PSTN, as shown in , there is no guarantee that the callback some time later does leave the same PSTN/VoIP gateway or that the same end point identifier is used in the forward as well as in the backward direction making it difficult to reliably detect PSAP callbacks.

|Gateway | \\\\ //// | | ------------------- +----+-------+ ^ | | | +-------------+ | +--------+ | | | |VoIP | | PSTN / VoIP | +->|Service | | Gateway | |Provider| | |<------Invite----| Y | +-------------+ +--------+ | ^ | | Invite Invite | | V | +-------+ | SIP | | UA | | Alice | +-------+ ]]>

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in . Emergency services related terminology is borrowed from .

From the previously presented scenarios, the following generic requirements can be crafted: The solution approach MUST offer a way to reliable detect a PSAP callback in light of the challenges presented in . The main possibility of attack involves use of the PSAP callback marking to bypass blacklists, ignore call forwarding procedures and similar features to interact with users and to raise their attention. For example, using PSAP callback marking devices would be able to recognize these types of incoming messages leading to the device overriding user interface configurations, such as vibrate-only mode. As such, the requirement is ensure that only PSAPs can issue callbacks. This may require secure identification of the calling party. When the newly defined extension is not recognized by intermediaries or other entities then it MUST NOT lead to a failure of the call handling procedure but rather a fall-back to a call that did not have any marking provided. A further differentiation has to be made with respect to relationship between the person who previously received the emergency call and the person who triggers the callback. The choices are: The callback has to be made using the same UA. The callback has to made by the same user but potentially with a different UA. A different user from a different UA can make the callback. [Editor' Note: A requirement has to be formulated.]

This version of the document does not yet contain any specific solution approaches. An example solution can be found in an earlier version of . The usage of the In-Reply-To header is another one. Solution categories can be clustered into three areas: Verify that the caller is a PSAP Verify that the call is related to an emergency, but not necessarily an earlier emergency call. This might include public notification (authority-to-citizen). Verify that the call is returning an earlier emergency call. These solution differ in their semantics and in the security impact or user choice.

This document provides discussions problems of PSAP callbacks and lists requirements, some of which illustrate security challenges. The current version does not yet provide a specific solution but rather starts with overall architectural observations. An important aspect from a security point of view is the relationship between the emergency services network and the VSP (assuming that the emergency call travels via the VSP and not directly between the SIP UA and the PSAP). If there is a strong trust relationship between the PSAP operator and the VSP (for example based on a peering relationship) without any intermediate VoIP providers then the identification of a PSAP call back is less problematic than in the case where the two entities have not entered in some form of relationship that would allow the VSP to verify whether the marked callback message indeed came from a legitimate source.

We would like to thank members from the ECRIT working group, in particular Brian Rosen and Milan Patel, for their discussions around PSAP callbacks.